From patchwork Thu Jun  6 10:16:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Frank Plowman <post@frankplowman.com>
X-Patchwork-Id: 49617
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:c209:0:b0:460:55fa:d5ed with SMTP id d9csp269405vqo;
        Thu, 6 Jun 2024 03:17:46 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUxo4r9kBh3QWfr0dwxJ8GoH2xHVRikZaehZzYnAbIZW0Wd4leLk0P7SyacYXcSgVU6HnY0nJGKQEfMLDXqiGe/7TPuWz/0sIugrw==
X-Google-Smtp-Source: 
 AGHT+IExzh5atb4ShHcsX1kh+h9heuguLLvGKdP1TAEIIrYOt/YOgxUeK8ClO7ucPhpz3Dy1onxA
X-Received: by 2002:a50:9f45:0:b0:57a:346:970f with SMTP id
 4fb4d7f45d1cf-57a8bcb4158mr3691036a12.36.1717669066504;
        Thu, 06 Jun 2024 03:17:46 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 4fb4d7f45d1cf-57aae28abadsi530718a12.619.2024.06.06.03.17.45;
        Thu, 06 Jun 2024 03:17:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@frankplowman.com
 header.s=zmail header.b=VO+P6H44;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7CAC668D6AA;
	Thu,  6 Jun 2024 13:17:42 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4B6C868D275
 for <ffmpeg-devel@ffmpeg.org>; Thu,  6 Jun 2024 13:17:36 +0300 (EEST)
Delivered-To: post@frankplowman.com
ARC-Seal: i=1; a=rsa-sha256; t=1717669053; cv=none; d=zohomail.eu; s=zohoarc;
 b=RvzFIRAn3Ex7jmtxTD3g5sthddRNvVUq/NQlqpFAniuJbs2mu+hNxoScyfl3eOPbCc4CcxThQehJp0hjtKun0taIGOk4wD30u89wtVoS18CJw77iPms9oQZEm8tK3t+JlppCNXXoVm3OX+6FBgMIjcDzPq/t2BD4hxx8+PAihbQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1717669053;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=E1JcmMpL1050czLq9jO7boaJXihp9qqlKcaryP5YoUk=;
 b=Q5jD8EUgGokuw8+1PC4e1Ad5jCoXrOwCUBfAjUV+weXy7+yGe7zC5vp1hkT5YPIou1k9F7XwWCRBGjv9FU8SiCIFgw2BkMLFPNeNv+XWKswzdj7JIGy+W3FvBHW6+7vJCKMaN4KWvvq5Hb58mm5jTtXgcXuf+ENFORzSIw9jDkU=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1717669053;
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=E1JcmMpL1050czLq9jO7boaJXihp9qqlKcaryP5YoUk=;
 b=VO+P6H44FFKrXnQP8zlyOaLaDuE5ZojFvFkV+GbxR3py++jaMUmX9oEr20OOACgI
 aRlYqCSdte0lVQ41DCWYpb1leSSfSHmlJmRe25eJOlrtr2dlAYs+9i0OlRFNFv4uxCl
 rVIN/0VA8mX+Mw91zDVn7QbdhOrb61PKx3PR7YN8=
Received: by mx.zoho.eu with SMTPS id 1717669051731825.8635408064783;
 Thu, 6 Jun 2024 12:17:31 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu,  6 Jun 2024 11:16:24 +0100
Message-ID: <20240606101727.13100-1-post@frankplowman.com>
X-Mailer: git-send-email 2.45.1
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH v3] lavc/vvc: Prevent overflow in chroma QP
 derivation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: QFDvNP0G7Hkq

On the top of p. 112 in VVC (09/2023):

It is a requirement of bitstream conformance that the values of
qpInVal[ i ][ j ] and qpOutVal[ i ][ j ] shall be in the range
of −QpBdOffset to 63, inclusive for i in the range of 0 to
numQpTables − 1, inclusive, and j in the range of 0 to
sps_num_points_in_qp_table_minus1[ i ] + 1, inclusive.

Additionally, don't discard the return code from sps_chroma_qp_table.

Signed-off-by: Frank Plowman <post@frankplowman.com>
---
Changes since v2:
* Squash discarded return code patch and QP overflow patch.
* Combine QpIn and QpOut validation into a single if statement.

 libavcodec/vvc/ps.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
index 1b23675c98..ea5d0e9959 100644
--- a/libavcodec/vvc/ps.c
+++ b/libavcodec/vvc/ps.c
@@ -101,9 +101,12 @@ static int sps_chroma_qp_table(VVCSPS *sps)
 
         qp_out[0] = qp_in[0] = r->sps_qp_table_start_minus26[i] + 26;
         for (int j = 0; j < num_points_in_qp_table; j++ ) {
+            const uint8_t delta_qp_out = (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]);
             delta_qp_in[j] = r->sps_delta_qp_in_val_minus1[i][j] + 1;
+            if (qp_in[j] + delta_qp_in[j] > 63 || qp_out[j] + delta_qp_out > 63)
+                return AVERROR(EINVAL);
             qp_in[j+1] = qp_in[j] + delta_qp_in[j];
-            qp_out[j+1] = qp_out[j] + (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]);
+            qp_out[j+1] = qp_out[j] + delta_qp_out;
         }
         sps->chroma_qp_table[i][qp_in[0] + off] = qp_out[0];
         for (int k = qp_in[0] - 1 + off; k >= 0; k--)
@@ -186,8 +189,11 @@ static int sps_derive(VVCSPS *sps, void *log_ctx)
     sps_inter(sps);
     sps_partition_constraints(sps);
     sps_ladf(sps);
-    if (r->sps_chroma_format_idc != 0)
-        sps_chroma_qp_table(sps);
+    if (r->sps_chroma_format_idc != 0) {
+        ret = sps_chroma_qp_table(sps);
+        if (ret < 0)
+            return ret;
+    }
 
     return 0;
 }