From patchwork Mon Jun 24 13:30:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Frank Plowman <post@frankplowman.com>
X-Patchwork-Id: 50125
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:ae71:0:b0:482:c625:d099 with SMTP id w17csp2011813vqz;
        Mon, 24 Jun 2024 06:31:53 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXFNhuSZPgOPq08MiO4S1WcqEhKylde/gtgkqF95KdXdC9LwOBPKo3jFaJHFTcV4lE3Py9gqL8zwvrZvxY0Gd/vZa5Tm8oj/mWomA==
X-Google-Smtp-Source: 
 AGHT+IHv0onXytS8QE41C/LS8CH4B/7C7cFfAHqPuxG8d/8hLPfddFsgyRC215fU70dMrVRiyFLy
X-Received: by 2002:a17:906:c018:b0:a6f:adf7:b077 with SMTP id
 a640c23a62f3a-a7242c9ca0emr325648366b.28.1719235913024;
        Mon, 24 Jun 2024 06:31:53 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a72519ec2f1si118916466b.184.2024.06.24.06.31.52;
        Mon, 24 Jun 2024 06:31:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@frankplowman.com
 header.s=zmail header.b=PLOMLLW3;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 492E268D5B1;
	Mon, 24 Jun 2024 16:31:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from sender21-op-o11.zoho.eu (sender21-op-o11.zoho.eu
 [185.172.199.225])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 36B3C68CD1B
 for <ffmpeg-devel@ffmpeg.org>; Mon, 24 Jun 2024 16:31:42 +0300 (EEST)
Delivered-To: post@frankplowman.com
ARC-Seal: i=1; a=rsa-sha256; t=1719235898; cv=none; d=zohomail.eu; s=zohoarc;
 b=lIk8ij/tVL3aLqXGvB/eDBb37Tc7HNfAyBMUQzLIp1hONCJ1sPiUoG253bow9L1T1ht8OGMRzmYM6abtinGpzIQO34Gat9IhNtzoiYUBxFzR/WEOJ1PbubgFxxQr5L0HwPuA58dX65cX1wF7XcegO5i24mzMQAqIitCqdGe7PH8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1719235898;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=hw/toFdjRo7u4Ac989n4HdsBLOcQYcohdozxCn9RhxU=;
 b=fLrU0F947elDh6UaTfUDJluiHKdH8nxwiAGbRfqZsi32sg0kFPUd2FeJeufQYFxzVcRUR3tJbq5kFdw7S177bksRm1TQeljlmSVl3gVKnZA3SLv8yAOzKKrYf0FGYYT5b1cSTwdBR0kv937AFZiB1WtT1fdQcFKutkUP3QvQETo=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1719235898;
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=hw/toFdjRo7u4Ac989n4HdsBLOcQYcohdozxCn9RhxU=;
 b=PLOMLLW3kdC508rXHN6T/jxuTx5B4Rf81wPZVnvZ6/pDAxj9ffa3oOe79QNLb3UI
 zGHewR40VkUu4NGYuVP7ILzgz4HZ2lvNO+bh41o4Ez2AJItjj1caOLtL0EY+JalJzPp
 +swsZogo5EhM63qoJyY9G7Ia5tVqC6Ay5HBqy9Is=
Received: by mx.zoho.eu with SMTPS id 1719235896219850.3095996011217;
 Mon, 24 Jun 2024 15:31:36 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 24 Jun 2024 14:30:59 +0100
Message-ID: <20240624133133.11016-1-post@frankplowman.com>
X-Mailer: git-send-email 2.45.1
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Validate IBC block vector
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: jCQu3iR4qGuI

From H.266 (V3) (09/2023) p. 321:

It is a requirement of bitstream conformance that the luma block
vector bvL shall obey the following constraints:
- CtbSizeY is greater than or equal to
((yCb + (bvL[ 1 ] >> 4)) & (CtbSizeY − 1)) + cbHeight

This patch checks this is true, which fixes crashes on fuzzed
bitstreams.

Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/intra.c  | 25 ++++++++++++++++++++++---
 libavcodec/vvc/thread.c |  4 +---
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/libavcodec/vvc/intra.c b/libavcodec/vvc/intra.c
index f77a012f09..11371db797 100644
--- a/libavcodec/vvc/intra.c
+++ b/libavcodec/vvc/intra.c
@@ -624,15 +624,26 @@ static void intra_block_copy(const VVCLocalContext *lc, const int c_idx)
     }
 }
 
-static void vvc_predict_ibc(const VVCLocalContext *lc)
+static int vvc_predict_ibc(const VVCLocalContext *lc)
 {
-    const H266RawSPS *rsps = lc->fc->ps.sps->r;
+    const VVCFrameContext *fc = lc->fc;
+    const VVCSPS *sps         = lc->fc->ps.sps;
+    const H266RawSPS *rsps    = sps->r;
+    const CodingUnit *cu      = lc->cu;
+    const Mv *bv              = &cu->pu.mi.mv[L0][0];
+
+    if (sps->ctb_size_y < ((cu->y0 + (bv->y >> 4)) & (sps->ctb_size_y - 1)) + cu->cb_height) {
+        av_log(fc->log_ctx, AV_LOG_ERROR, "IBC region spans multiple CTBs.\n");
+        return AVERROR_INVALIDDATA;
+    }
 
     intra_block_copy(lc, LUMA);
     if (lc->cu->tree_type == SINGLE_TREE && rsps->sps_chroma_format_idc) {
         intra_block_copy(lc, CB);
         intra_block_copy(lc, CR);
     }
+
+    return 0;
 }
 
 static void ibc_fill_vir_buf(const VVCLocalContext *lc, const CodingUnit *cu)
@@ -678,7 +689,10 @@ int ff_vvc_reconstruct(VVCLocalContext *lc, const int rs, const int rx, const in
         if (cu->ciip_flag)
             ff_vvc_predict_ciip(lc);
         else if (cu->pred_mode == MODE_IBC)
-            vvc_predict_ibc(lc);
+            ret = vvc_predict_ibc(lc);
+        if (ret)
+            goto fail;
+
         if (cu->coded_flag) {
             ret = reconstruct(lc);
         } else {
@@ -687,10 +701,15 @@ int ff_vvc_reconstruct(VVCLocalContext *lc, const int rs, const int rx, const in
             if (sps->r->sps_chroma_format_idc && cu->tree_type != DUAL_TREE_LUMA)
                 add_reconstructed_area(lc, CHROMA, cu->x0, cu->y0, cu->cb_width, cu->cb_height);
         }
+        if (ret)
+            goto fail;
+
         if (sps->r->sps_ibc_enabled_flag)
             ibc_fill_vir_buf(lc, cu);
         cu = cu->next;
     }
+
+fail:
     ff_vvc_ctu_free_cus(ctu);
     return ret;
 }
diff --git a/libavcodec/vvc/thread.c b/libavcodec/vvc/thread.c
index 8777d380bf..5b01dd2d20 100644
--- a/libavcodec/vvc/thread.c
+++ b/libavcodec/vvc/thread.c
@@ -454,9 +454,7 @@ static int run_inter(VVCContext *s, VVCLocalContext *lc, VVCTask *t)
 
 static int run_recon(VVCContext *s, VVCLocalContext *lc, VVCTask *t)
 {
-    ff_vvc_reconstruct(lc, t->rs, t->rx, t->ry);
-
-    return 0;
+    return ff_vvc_reconstruct(lc, t->rs, t->rx, t->ry);
 }
 
 static int run_lmcs(VVCContext *s, VVCLocalContext *lc, VVCTask *t)