From patchwork Thu Sep 17 03:19:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 22453 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id DEE4A448F6E for ; Thu, 17 Sep 2020 06:19:38 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C009068BB73; Thu, 17 Sep 2020 06:19:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3F73868BA85 for ; Thu, 17 Sep 2020 06:19:32 +0300 (EEST) Received: by mail-wr1-f65.google.com with SMTP id w5so389354wrp.8 for ; Wed, 16 Sep 2020 20:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=DYnQyK8KGZpQ1YzjqI+5XLGfQPgX0xjLQIugADG8reo=; b=WmvIxZVP4VSaMJmIsQ1/GpH+oFnFGUVZhboV+izO+w1Vqiyi9WVLz7k8/HuztUieL7 1+vQQJrU8xW5aDO58UI6ikbWxFhSZwuMeFkqbjhfyinR6fMXfrhwOnp1QkeJqz/b9WlO FVP2nilgauJPNEquLPlOBplJX11wDy4HDPZX6qLIbEp6yJOqtavReKCPmJ+OhWDKHayY gNHnK9ZL7nRQ8aAOnSU2q1+dbXcRAzyLkLCLzDDCH1n6mFsePKidAyjccYJzUYr/aYjZ 3knm+mDka03Mo3DkGGEMWh1rC816cemySiE8LF0eCOee8ITReivWUxdiKM2uxNxcxAkZ DEPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=DYnQyK8KGZpQ1YzjqI+5XLGfQPgX0xjLQIugADG8reo=; b=KhauponlmqlAfDMJUb9mAoOsALnMhonDx5izVELi4cyJ+Uw3Ex7ZBzyQAZLtnWY5Ea v8tGk/ulh2iaemslmmxZXIjeMRXzRtFtyIY56I4V/2bL5osKjcmbiEYm6Ub2JhpDxQPq f62oObK4rtERO8CkOAZ8ElsAlDX+YvqiY3wnjaqEQQwDUggjsnCmn4QgIaw0/9CpikNm m0lm0a1UiO96DL46+kPadQ8RJ1D6UCwjvgZxkNaYschCiZ14VJ1H6SqhRtm6QJepGWJt UKd1DJx8o9nzJl8dRuOIY1GfVg+RcA5hK3bwv6wNenUtXzus0DUU50XIkj5FoZVOd0o5 DcwQ== X-Gm-Message-State: AOAM531xpxaM5UkkI125gLIJP3PYekunaElNGylE6JHMVLv9lP3Z1ams L/WSlYpAeilUcbdSp1buYJ2zO5dROOA= X-Google-Smtp-Source: ABdhPJyg6NJOuz1Bv5Pwu052iLiTYEquhDpnrnmm+QQO9imi25rvZqhPNC/4lHEYXnHaUHKxc12PSQ== X-Received: by 2002:a5d:4a4b:: with SMTP id v11mr29150014wrs.36.1600312771340; Wed, 16 Sep 2020 20:19:31 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1fb0f.dynamic.kabel-deutschland.de. [188.193.251.15]) by smtp.gmail.com with ESMTPSA id y6sm36375157wrt.80.2020.09.16.20.19.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Sep 2020 20:19:30 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 17 Sep 2020 05:19:20 +0200 Message-Id: <20200917031920.518127-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/av1dec: Check tiles sizes, fix assert, don't read bytes bitwise X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Tiles have a size field with a length from one to four bytes. As such it is not possible to read it all at once with a call to get_bits() as this only allows to read up to 25 bits; this is guarded by an av_assert2. Yet this is done by the AV1 decoder in get_tiles_info(). It has been done despite said size fields being byte-aligned. This commit fixes this by using the bytestream2 API instead. Furthermore, it is now explicitly checked whether the data is consistent, i.e. whether the data that is supposed to be there extends beyond the end of the data actually present. Signed-off-by: Andreas Rheinhardt --- libavcodec/av1dec.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index cb46801202..0bb04a3e44 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -21,7 +21,7 @@ #include "libavutil/pixdesc.h" #include "avcodec.h" #include "av1dec.h" -#include "get_bits.h" +#include "bytestream.h" #include "hwconfig.h" #include "internal.h" #include "profiles.h" @@ -205,18 +205,12 @@ static int init_tile_data(AV1DecContext *s) static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_group) { AV1DecContext *s = avctx->priv_data; - GetBitContext gb; + GetByteContext gb; uint16_t tile_num, tile_row, tile_col; - uint32_t size = 0, size_bytes = 0, offset = 0; - int ret; - - if ((ret = init_get_bits8(&gb, - tile_group->tile_data.data, - tile_group->tile_data.data_size)) < 0) { - av_log(avctx, AV_LOG_ERROR, "Failed to initialize bitstream reader.\n"); - return ret; - } + uint32_t size = 0, size_bytes = 0; + bytestream2_init(&gb, tile_group->tile_data.data, + tile_group->tile_data.data_size); s->tg_start = tile_group->tg_start; s->tg_end = tile_group->tg_end; @@ -225,24 +219,28 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro tile_col = tile_num % s->raw_frame_header->tile_cols; if (tile_num == tile_group->tg_end) { - s->tile_group_info[tile_num].tile_size = get_bits_left(&gb) / 8; - s->tile_group_info[tile_num].tile_offset = offset; + s->tile_group_info[tile_num].tile_size = bytestream2_get_bytes_left(&gb); + s->tile_group_info[tile_num].tile_offset = bytestream2_tell(&gb); s->tile_group_info[tile_num].tile_row = tile_row; s->tile_group_info[tile_num].tile_column = tile_col; return 0; } size_bytes = s->raw_frame_header->tile_size_bytes_minus1 + 1; - size = get_bits_le(&gb, size_bytes * 8) + 1; - skip_bits(&gb, size * 8); - - offset += size_bytes; + if (bytestream2_get_bytes_left(&gb) < size_bytes) + return AVERROR_INVALIDDATA; + size = 0; + for (int i = 0; i < size_bytes; i++) + size |= bytestream2_get_byteu(&gb) << 8 * i; + if (bytestream2_get_bytes_left(&gb) <= size) + return AVERROR_INVALIDDATA; + size++; s->tile_group_info[tile_num].tile_size = size; - s->tile_group_info[tile_num].tile_offset = offset; + s->tile_group_info[tile_num].tile_offset = bytestream2_tell(&gb); s->tile_group_info[tile_num].tile_row = tile_row; s->tile_group_info[tile_num].tile_column = tile_col; - offset += size; + bytestream2_skipu(&gb, size); } return 0; @@ -778,7 +776,9 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, else raw_tile_group = &obu->obu.tile_group; - get_tiles_info(avctx, raw_tile_group); + ret = get_tiles_info(avctx, raw_tile_group); + if (ret < 0) + goto end; if (avctx->hwaccel) { ret = avctx->hwaccel->decode_slice(avctx,