From patchwork Wed Jun 10 14:00:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Guo, Yejun" X-Patchwork-Id: 20265 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C319E4495C3 for ; Wed, 10 Jun 2020 17:04:15 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A298A68B28B; Wed, 10 Jun 2020 17:04:15 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2E2186881A5 for ; Wed, 10 Jun 2020 17:04:08 +0300 (EEST) IronPort-SDR: vokmbQhip5pqyzzojjcqs1K7qUuCXmGerubdKZRIlh0RO4g72WzXSYEDblX1LYMiVt0ird1kab r2fq40W63/lA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Jun 2020 07:04:06 -0700 IronPort-SDR: ApGk/mDozwxXO7kwbpcKBiBrKYDEWCN2kWtqNA6sBWtin2e73jyx0JMDNoaqIg1jhLCD0B3fAU G+1WClfx/NEw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,496,1583222400"; d="scan'208";a="473432315" Received: from yguo18-skl-u1604.sh.intel.com ([10.239.159.53]) by fmsmga005.fm.intel.com with ESMTP; 10 Jun 2020 07:04:04 -0700 From: Guo Yejun To: ffmpeg-devel@ffmpeg.org Date: Wed, 10 Jun 2020 22:00:57 +0800 Message-Id: <1591797657-31866-1-git-send-email-yejun.guo@intel.com> X-Mailer: git-send-email 2.7.4 Subject: [FFmpeg-devel] [PATCH 2/2] dnn_backend_native: check operand index X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: yejun.guo@intel.com MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" it fixed the issue in https://trac.ffmpeg.org/ticket/8716 Signed-off-by: Guo Yejun --- libavfilter/dnn/dnn_backend_native.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_conv2d.c | 7 ++++++- libavfilter/dnn/dnn_backend_native_layer_conv2d.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_depth2space.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_depth2space.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_mathbinary.c | 12 +++++++++++- libavfilter/dnn/dnn_backend_native_layer_mathbinary.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_mathunary.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_mathunary.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_maximum.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_maximum.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_pad.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_pad.h | 2 +- libavfilter/dnn/dnn_backend_native_layers.h | 2 +- 14 files changed, 49 insertions(+), 14 deletions(-) diff --git a/libavfilter/dnn/dnn_backend_native.c b/libavfilter/dnn/dnn_backend_native.c index 12695a0..35236fc 100644 --- a/libavfilter/dnn/dnn_backend_native.c +++ b/libavfilter/dnn/dnn_backend_native.c @@ -196,7 +196,7 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) } network->layers[layer].type = layer_type; - parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size); + parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size, network->operands_num); if (!parsed_size) { goto fail; } @@ -209,6 +209,10 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) int32_t operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 4; + if (operand_index >= network->operands_num) { + goto fail; + } + oprd = &network->operands[operand_index]; name_len = (int32_t)avio_rl32(model_file_context); dnn_size += 4; diff --git a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c index 7b29697..c05bb5e 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c +++ b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c @@ -23,7 +23,7 @@ #define CLAMP_TO_EDGE(x, w) ((x) < 0 ? 0 : ((x) >= (w) ? (w - 1) : (x))) -int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { ConvolutionalParams *conv_params; int kernel_size; @@ -80,6 +80,11 @@ int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int fil layer->input_operand_indexes[0] = (int32_t)avio_rl32(model_file_context); layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_conv2d.h b/libavfilter/dnn/dnn_backend_native_layer_conv2d.h index bf87264..eeb15fd 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_conv2d.h +++ b/libavfilter/dnn/dnn_backend_native_layer_conv2d.h @@ -36,7 +36,7 @@ typedef struct ConvolutionalParams{ float *biases; } ConvolutionalParams; -int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); #endif diff --git a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c index 7dab19d..324871c 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c +++ b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_depth2space.h" -int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DepthToSpaceParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, in dnn_size += 8; layer->params = params; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_depth2space.h b/libavfilter/dnn/dnn_backend_native_layer_depth2space.h index e5465f1..b2901e0 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_depth2space.h +++ b/libavfilter/dnn/dnn_backend_native_layer_depth2space.h @@ -34,7 +34,7 @@ typedef struct DepthToSpaceParams{ int block_size; } DepthToSpaceParams; -int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c index edc389d..b239a20 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_mathbinary.h" -int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMathBinaryParams *params; int dnn_size = 0; @@ -45,6 +45,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in params->v = av_int2float(avio_rl32(model_file_context)); } else { layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context); + if (layer->input_operand_indexes[input_index] >= operands_num) { + return 0; + } input_index++; } dnn_size += 4; @@ -55,6 +58,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in params->v = av_int2float(avio_rl32(model_file_context)); } else { layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context); + if (layer->input_operand_indexes[input_index] >= operands_num) { + return 0; + } input_index++; } dnn_size += 4; @@ -63,6 +69,10 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in dnn_size += 4; layer->params = params; + if (layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h index f3dbbeb..0acf3b0 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h +++ b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h @@ -46,7 +46,7 @@ typedef struct DnnLayerMathBinaryParams{ float v; } DnnLayerMathBinaryParams; -int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c index d65af15..0d3627f 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_mathunary.h" -int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMathUnaryParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathunary.h b/libavfilter/dnn/dnn_backend_native_layer_mathunary.h index 4e44003..a9a8a0d 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathunary.h +++ b/libavfilter/dnn/dnn_backend_native_layer_mathunary.h @@ -38,7 +38,7 @@ typedef struct DnnLayerMathUnaryParams{ DNNMathUnaryOperation un_op; } DnnLayerMathUnaryParams; -int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_maximum.c b/libavfilter/dnn/dnn_backend_native_layer_maximum.c index 19f0e8d..af16e08 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_maximum.c +++ b/libavfilter/dnn/dnn_backend_native_layer_maximum.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_maximum.h" -int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMaximumParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int fi layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_maximum.h b/libavfilter/dnn/dnn_backend_native_layer_maximum.h index 601158b..c049c63 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_maximum.h +++ b/libavfilter/dnn/dnn_backend_native_layer_maximum.h @@ -37,7 +37,7 @@ typedef struct DnnLayerMaximumParams{ }val; } DnnLayerMaximumParams; -int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_pad.c b/libavfilter/dnn/dnn_backend_native_layer_pad.c index 8e5959b..dfbd204 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_pad.c +++ b/libavfilter/dnn/dnn_backend_native_layer_pad.c @@ -22,7 +22,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_pad.h" -int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { LayerPadParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_s dnn_size += 8; layer->params = params; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_pad.h b/libavfilter/dnn/dnn_backend_native_layer_pad.h index 936a9bd..18e05bd 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_pad.h +++ b/libavfilter/dnn/dnn_backend_native_layer_pad.h @@ -36,7 +36,7 @@ typedef struct LayerPadParams{ float constant_values; } LayerPadParams; -int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layers.h b/libavfilter/dnn/dnn_backend_native_layers.h index 2df0ce9..b696e9c 100644 --- a/libavfilter/dnn/dnn_backend_native_layers.h +++ b/libavfilter/dnn/dnn_backend_native_layers.h @@ -26,7 +26,7 @@ typedef int (*LAYER_EXEC_FUNC)(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); -typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size); +typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); typedef struct LayerFunc { LAYER_EXEC_FUNC pf_exec;