From patchwork Fri Mar 27 12:57:44 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anton Khirnov <anton@khirnov.net>
X-Patchwork-Id: 18436
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 0D7B244B885
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri, 27 Mar 2020 14:58:42 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id F204B68B80F;
	Fri, 27 Mar 2020 14:58:41 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail.red.khirnov.net (red.khirnov.net [176.97.15.12])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EB6D468B77C
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Mar 2020 14:58:30 +0200 (EET)
Received: from localhost (localhost [IPv6:::1])
 by mail.red.khirnov.net (Postfix) with ESMTP id 91F2B2858A7
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Mar 2020 13:58:30 +0100 (CET)
Received: from mail.red.khirnov.net ([IPv6:::1])
 by localhost (mail.red.khirnov.net [IPv6:::1]) (amavisd-new, port 10024)
 with ESMTP id VEFTJjd5I48U for <ffmpeg-devel@ffmpeg.org>;
 Fri, 27 Mar 2020 13:58:30 +0100 (CET)
Received: from quelana.khirnov.net (unknown
 [IPv6:2002:b061:f0a:201:5e:e696:5100:0])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits)
 client-signature RSA-PSS (2048 bits))
 (Client CN "quelana.khirnov.net",
 Issuer "smtp.khirnov.net SMTP CA" (verified OK))
 by mail.red.khirnov.net (Postfix) with ESMTPS id E6E852858A6
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Mar 2020 13:58:29 +0100 (CET)
Received: from localhost (quelana.khirnov.net [IPv6:::1])
 by quelana.khirnov.net (Postfix) with ESMTP id 9BAEB21200
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Mar 2020 13:58:29 +0100 (CET)
Received: from quelana.khirnov.net ([IPv6:::1])
 by localhost (quelana.khirnov.net [IPv6:::1]) (amavisd-new, port 10024)
 with ESMTP id dZx_cOj8nb_J for <ffmpeg-devel@ffmpeg.org>;
 Fri, 27 Mar 2020 13:58:28 +0100 (CET)
Received: from libav.daenerys.khirnov.net (libav.daenerys.khirnov.net
 [IPv6:2a00:c500:561:201::7])
 by quelana.khirnov.net (Postfix) with ESMTP id 21CAC2121D
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Mar 2020 13:58:21 +0100 (CET)
Received: by libav.daenerys.khirnov.net (Postfix, from userid 1000)
 id 0489D20E01FF; Fri, 27 Mar 2020 13:58:20 +0100 (CET)
From: Anton Khirnov <anton@khirnov.net>
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 27 Mar 2020 13:57:44 +0100
Message-Id: <20200327125747.13460-10-anton@khirnov.net>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200327125747.13460-1-anton@khirnov.net>
References: <20200327125747.13460-1-anton@khirnov.net>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 10/14] h264_sei: use a separate reader for
	the individual SEI messages
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This tells the parsing functions the payload size and prevents them from
overreading.
---
 libavcodec/h264_sei.c | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
index a565feabe2..32d13985f3 100644
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -407,9 +407,9 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb,
     int master_ret = 0;
 
     while (get_bits_left(gb) > 16 && show_bits(gb, 16)) {
+        GetBitContext gb_payload;
         int type = 0;
         unsigned size = 0;
-        unsigned next;
         int ret  = 0;
 
         do {
@@ -429,35 +429,38 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb,
                    type, 8*size, get_bits_left(gb));
             return AVERROR_INVALIDDATA;
         }
-        next = get_bits_count(gb) + 8 * size;
+
+        ret = init_get_bits8(&gb_payload, gb->buffer + get_bits_count(gb) / 8, size);
+        if (ret < 0)
+            return ret;
 
         switch (type) {
         case H264_SEI_TYPE_PIC_TIMING: // Picture timing SEI
-            ret = decode_picture_timing(&h->picture_timing, gb, ps, logctx);
+            ret = decode_picture_timing(&h->picture_timing, &gb_payload, ps, logctx);
             break;
         case H264_SEI_TYPE_USER_DATA_REGISTERED:
-            ret = decode_registered_user_data(h, gb, logctx, size);
+            ret = decode_registered_user_data(h, &gb_payload, logctx, size);
             break;
         case H264_SEI_TYPE_USER_DATA_UNREGISTERED:
-            ret = decode_unregistered_user_data(&h->unregistered, gb, logctx, size);
+            ret = decode_unregistered_user_data(&h->unregistered, &gb_payload, logctx, size);
             break;
         case H264_SEI_TYPE_RECOVERY_POINT:
-            ret = decode_recovery_point(&h->recovery_point, gb, logctx);
+            ret = decode_recovery_point(&h->recovery_point, &gb_payload, logctx);
             break;
         case H264_SEI_TYPE_BUFFERING_PERIOD:
-            ret = decode_buffering_period(&h->buffering_period, gb, ps, logctx);
+            ret = decode_buffering_period(&h->buffering_period, &gb_payload, ps, logctx);
             break;
         case H264_SEI_TYPE_FRAME_PACKING:
-            ret = decode_frame_packing_arrangement(&h->frame_packing, gb);
+            ret = decode_frame_packing_arrangement(&h->frame_packing, &gb_payload);
             break;
         case H264_SEI_TYPE_DISPLAY_ORIENTATION:
-            ret = decode_display_orientation(&h->display_orientation, gb);
+            ret = decode_display_orientation(&h->display_orientation, &gb_payload);
             break;
         case H264_SEI_TYPE_GREEN_METADATA:
-            ret = decode_green_metadata(&h->green_metadata, gb);
+            ret = decode_green_metadata(&h->green_metadata, &gb_payload);
             break;
         case H264_SEI_TYPE_ALTERNATIVE_TRANSFER:
-            ret = decode_alternative_transfer(&h->alternative_transfer, gb);
+            ret = decode_alternative_transfer(&h->alternative_transfer, &gb_payload);
             break;
         default:
             av_log(logctx, AV_LOG_DEBUG, "unknown SEI type %d\n", type);
@@ -467,10 +470,12 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb,
         if (ret < 0)
             master_ret = ret;
 
-        skip_bits_long(gb, next - get_bits_count(gb));
+        if (get_bits_left(&gb_payload) < 0) {
+            av_log(logctx, AV_LOG_WARNING, "SEI type %d overread by %d bits\n",
+                   type, -get_bits_left(&gb_payload));
+        }
 
-        // FIXME check bits here
-        align_get_bits(gb);
+        skip_bits_long(gb, 8 * size);
     }
 
     return master_ret;