From patchwork Tue Sep 14 10:50:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lance Wang X-Patchwork-Id: 30240 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp4866085iov; Tue, 14 Sep 2021 03:50:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzm3WrgjESJrPgTGVODe6km6H3JFmXMCLSHp3JvU1y+g9M6BkcB1HZb3QaFvlzf8R4gGvcu X-Received: by 2002:aa7:de85:: with SMTP id j5mr18526614edv.147.1631616656235; Tue, 14 Sep 2021 03:50:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631616656; cv=none; d=google.com; s=arc-20160816; b=ht8DhqeN3vB+LzYbql2ujAr47Pzr4Z0PwFsj1sACAryIlw3xoDFyNMpVR+UvYxPjOX mCOKN+TkFSHXKyDKxcSV7hAp/ZXfEQq4PFxnf29VR0rVpRuz3r7G58dFodoJ+VJFpwo7 dLozZvL1iirlaXjsHrAwNmHd6Qe8VWR0xSBZ/K/DNlMEYFkGq65+OWNkmVPbzwHlY8J0 coI1+KlGwjFm+6c2HGuzdgHj073cWR5UfYv1xl1dOGTeAtsrh5r00fak476pIZATtSNg 4zH0kz57WE4qJ67EBOJTy9RK91tZg5hfLn8ad+Ro0TVoxAjWt3UMaU1mbWIftJtIFEhP NqaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=gDYzGPftYEQAtpidpTj+bQw0oWpHN9TavA0yXqYDoVk=; b=K6vKikkLqzVQbdKRTWsBpmvlbLfTeb+JNNIOGFeZ023LYw1A4/bwtNnJ3iLA/4W5j/ HN4HaCMeVXUQtGlGoaoeB4Db0nUaooj/NhE3i1YYq07mImVrPahypkdZ1m+MDtRKkHZF ODQpAo+JN5B3McRQB07nCxabAOsVs2omyuuQOljfBlJI+u/WmCdmkk21lWN6hUE0vyMT Epp6YiI5FtAHvEbS7ivFthWCP6Hgd6IFLMj+QMtqIPKDh/OZs/5VKOCija6sVHkvQaa/ xdYKAShg2VV8NqgZdk2tX/4ffextZIEgSC1Y6zlijRJOug+0AUDY08gB7ILe7NHfN2PO q/kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=fTL4gCru; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b6si1514153edu.126.2021.09.14.03.50.55; Tue, 14 Sep 2021 03:50:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=fTL4gCru; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1D2FC68AF19; Tue, 14 Sep 2021 13:50:51 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 33DF468AEC9 for ; Tue, 14 Sep 2021 13:50:45 +0300 (EEST) Received: by mail-pj1-f52.google.com with SMTP id c13-20020a17090a558d00b00198e6497a4fso1797846pji.4 for ; Tue, 14 Sep 2021 03:50:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=u6YjipV/SysXPHpeQKQAn2wcts+WAtWMq5LyKfWB8sk=; b=fTL4gCrubdMia0XgL81Y/gYLq08rvkrzC2/GuK9Mqw7BNJ7lZqgiaOsONMzFyRg0Kp dF275pEWFAmk0iVRnQMBtQ9x9IA1nU/dsqumOncccG6CMFMHpfyJpJ/pCZBL+y5S3zGA 6eQn2qd2VVh5A0fvYYeI/YHRJJaoFBGoR6NkTeiim9gHd12B0qqgXq9Gm2USAgVfzd4F lGLKBfw7ABNnhaa9BJucTH0P33Qj5lUCkYLDD0y4g/EATVIZRbtm4lMLycL5JhEchC8u M+SbgZrJKG8SsriWOxlSADy3trQaFgEzc8jsHJkiC0MO3zC6hdXrCw8lCBsqIqsOJhQ7 DFPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=u6YjipV/SysXPHpeQKQAn2wcts+WAtWMq5LyKfWB8sk=; b=vjdyKIasBDfAE+azWlnNyqlW4wKWNvo7nijp0SF2628Y+Fv0wBbLMlRWjUVKJd/aEu kyhf1nlowJDUPA0C3nI+wyLrquZ7ozInUiv3y2n6Mn+XJxykCuWREdXUdW63u34Mt4Ni jv/l6qyatI+RA8hVz+/5ZBmYE+91DyMJ5ucDLy+vZjS16vhqDfxAu+a+0gSIQs3r7xta tUvyOpLvQm/noohXrOs9QXofQxIRUrIvHjzqb0KtMXGubaEWzWDqa6V69k5lTms2hzPK LvpCBDFQ1xHmb11CnnxTjCGxYB+8Mtd6Qu/3hCd5KPb7VxKAhAX6wE/Jbymf4xATLKCr bZ8A== X-Gm-Message-State: AOAM5301yZk0SCJEox6AZx80cxiqCyW2jVLHRl9Vc0YGQ4i6coZq9zth bhLTPE5JbOulMiD3n7NTE31X/4mbO4Q= X-Received: by 2002:a17:90a:77c2:: with SMTP id e2mr1369740pjs.96.1631616643170; Tue, 14 Sep 2021 03:50:43 -0700 (PDT) Received: from vpn2.localdomain ([161.117.202.209]) by smtp.gmail.com with ESMTPSA id p24sm9905732pfh.136.2021.09.14.03.50.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Sep 2021 03:50:42 -0700 (PDT) From: lance.lmwang@gmail.com To: ffmpeg-devel@ffmpeg.org Date: Tue, 14 Sep 2021 18:50:36 +0800 Message-Id: <1631616638-20151-1-git-send-email-lance.lmwang@gmail.com> X-Mailer: git-send-email 1.8.3.1 Subject: [FFmpeg-devel] [PATCH 1/3] avcodec/hevc_sei: check size before using it X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Limin Wang MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: e7hz5e9jvSRY From: Limin Wang Signed-off-by: Limin Wang --- libavcodec/hevc_sei.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 2c326bf..29d0346 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -52,9 +52,13 @@ static int decode_nal_sei_decoded_picture_hash(HEVCSEIPictureHash *s, GetBitCont return 0; } -static int decode_nal_sei_mastering_display_info(HEVCSEIMasteringDisplay *s, GetBitContext *gb) +static int decode_nal_sei_mastering_display_info(HEVCSEIMasteringDisplay *s, GetBitContext *gb, int size) { int i; + + if (size < 24) + return AVERROR_INVALIDDATA; + // Mastering primaries for (i = 0; i < 3; i++) { s->display_primaries[i][0] = get_bits(gb, 16); @@ -67,23 +71,32 @@ static int decode_nal_sei_mastering_display_info(HEVCSEIMasteringDisplay *s, Get // Max and min luminance of mastering display s->max_luminance = get_bits_long(gb, 32); s->min_luminance = get_bits_long(gb, 32); + size -= 24; // As this SEI message comes before the first frame that references it, // initialize the flag to 2 and decrement on IRAP access unit so it // persists for the coded video sequence (e.g., between two IRAPs) s->present = 2; + + skip_bits_long(gb, 8 * size); return 0; } -static int decode_nal_sei_content_light_info(HEVCSEIContentLight *s, GetBitContext *gb) +static int decode_nal_sei_content_light_info(HEVCSEIContentLight *s, GetBitContext *gb, int size) { + if (size < 4) + return AVERROR_INVALIDDATA; + // Max and average light levels s->max_content_light_level = get_bits(gb, 16); s->max_pic_average_light_level = get_bits(gb, 16); + size -= 4; // As this SEI message comes before the first frame that references it, // initialize the flag to 2 and decrement on IRAP access unit so it // persists for the coded video sequence (e.g., between two IRAPs) s->present = 2; + + skip_bits_long(gb, 8 * size); return 0; } @@ -342,10 +355,16 @@ static int decode_nal_sei_active_parameter_sets(HEVCSEI *s, GetBitContext *gb, v return 0; } -static int decode_nal_sei_alternative_transfer(HEVCSEIAlternativeTransfer *s, GetBitContext *gb) +static int decode_nal_sei_alternative_transfer(HEVCSEIAlternativeTransfer *s, GetBitContext *gb, int size) { + if (size < 1) + return AVERROR_INVALIDDATA; + s->present = 1; s->preferred_transfer_characteristics = get_bits(gb, 8); + size--; + + skip_bits_long(gb, 8 * size); return 0; } @@ -451,9 +470,9 @@ static int decode_nal_sei_prefix(GetBitContext *gb, void *logctx, HEVCSEI *s, case SEI_TYPE_PIC_TIMING: return decode_nal_sei_pic_timing(s, gb, ps, logctx, size); case SEI_TYPE_MASTERING_DISPLAY_COLOUR_VOLUME: - return decode_nal_sei_mastering_display_info(&s->mastering_display, gb); + return decode_nal_sei_mastering_display_info(&s->mastering_display, gb, size); case SEI_TYPE_CONTENT_LIGHT_LEVEL_INFO: - return decode_nal_sei_content_light_info(&s->content_light, gb); + return decode_nal_sei_content_light_info(&s->content_light, gb, size); case SEI_TYPE_ACTIVE_PARAMETER_SETS: return decode_nal_sei_active_parameter_sets(s, gb, logctx); case SEI_TYPE_USER_DATA_REGISTERED_ITU_T_T35: @@ -461,7 +480,7 @@ static int decode_nal_sei_prefix(GetBitContext *gb, void *logctx, HEVCSEI *s, case SEI_TYPE_USER_DATA_UNREGISTERED: return decode_nal_sei_user_data_unregistered(&s->unregistered, gb, size); case SEI_TYPE_ALTERNATIVE_TRANSFER_CHARACTERISTICS: - return decode_nal_sei_alternative_transfer(&s->alternative_transfer, gb); + return decode_nal_sei_alternative_transfer(&s->alternative_transfer, gb, size); case SEI_TYPE_TIME_CODE: return decode_nal_sei_timecode(&s->timecode, gb); case SEI_TYPE_FILM_GRAIN_CHARACTERISTICS: