From patchwork Wed Feb 3 21:34:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Thompson X-Patchwork-Id: 25375 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4328D448B96 for ; Wed, 3 Feb 2021 23:34:15 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2BEB5689A52; Wed, 3 Feb 2021 23:34:15 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D643A68035C for ; Wed, 3 Feb 2021 23:34:08 +0200 (EET) Received: by mail-wr1-f41.google.com with SMTP id b3so984968wrj.5 for ; Wed, 03 Feb 2021 13:34:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=ki2Rk/x56BW/Pr1GGUe6Eetkm2MvMB0wxsSMDGk057k=; b=KGUlr6ZkI4K711HFkJsSmiW84lcjYz7aXBcPK+8d6cmwsJJC+Yl4cUtVtpiKslBZ7t fWPIyO000UBce8G9Wo2bfDjZmLB0/PR5/LF6+Vb8Gmm5iThuTRfxgxFUhNFrzzT5MxE7 D7DPyQN73Emj1fKVfu+WdVG4txuw2kEzUJSBHftOny98Geu3LblGoMvqyYvIyUFj2gRo /avZaE02EbE/gyXxWnl19d3TesPWkPxtI6pFwM1j+eIWQLMjK7s7Nc0gsFEVvTlTw3jS 9LKiNmceYD7ph9Y857YtTep79+4VP0mDsZ9CnGBv0LXl7jpti26/TDmwApRDAUVYZYq0 vHSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=ki2Rk/x56BW/Pr1GGUe6Eetkm2MvMB0wxsSMDGk057k=; b=hWdNiE87OPQpbgiSoHnL3G2wRXNALGjfZ8sIM5BmwlBRSgjIFkd2IhBLy02iWqecWx hT2iEi9WYINOZf2fcumvPw7qSZwZIHB2lMWrnUwsQTJ/SEh8tlowqMmHhe/lw3GByRV6 LBOuoAoHzkY4+CLOOl/8waymBgzSW1wt99VunGGgg4op14w9qQtcfKblli3hbMIvjjfA WQSCa2oZoC3S5cTm4ZP/toeHEg/pdpU//THej+hg6Sv66LBvaS6z6n7O9xzxjLpf6q7o ILdropRUIWCpQyNA4lQFo+ED7iNnxBgaRDz3nWKG6OgMQlz++knHit9NY+cu9OgXHLtp tlIw== X-Gm-Message-State: AOAM533GMwMidOSXnWegKY7SV4U8b+Z+U/oKS01f0kgmoiteQ8xZz2P4 5MLsC7HPBCyCyKrJWK7ZRl6emtM9oALSng== X-Google-Smtp-Source: ABdhPJwiWX1nkrnkM8+PmTDeTYSCRMUqozXSfCtrlD/dETbCGSeSe6lOYnhzxFELrSux990Ggr5QqQ== X-Received: by 2002:adf:df84:: with SMTP id z4mr5649051wrl.339.1612388048316; Wed, 03 Feb 2021 13:34:08 -0800 (PST) Received: from [192.168.0.3] (cpc91226-cmbg18-2-0-cust7.5-4.cable.virginm.net. [82.0.29.8]) by smtp.gmail.com with ESMTPSA id n9sm5518796wrq.41.2021.02.03.13.34.07 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Feb 2021 13:34:07 -0800 (PST) To: FFmpeg development discussions and patches From: Mark Thompson Message-ID: <2d7cf9d5-2939-64ee-61b4-cd8fc68369f3@jkqxz.net> Date: Wed, 3 Feb 2021 21:34:07 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 Content-Language: en-US Subject: [FFmpeg-devel] [PATCH] cbs_h265: Detect more reference combinations which would overflow the DPB X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" In total, the number of short term references (from the selected short term ref pic set), the number of long term references (combining both the used candidates from the SPS and those defined in the slice header) and the number of instances of the current picture (usually one, but can be two if current picture reference is enabled) must never exceed the size of the DPB. This is a generalisation of the condition associated with num_long_term_pics in 7.4.7.1. We use this to apply tighter bounds to the number of long term pictures referred to in the slice header, and also to detect the invalid case where the second reference to the current picture would not fit in the DPB (this case can't be detected earlier because an STRPS with 15 pictures can still be valid in the same stream when used with a different PPS which does not require two DPB slots for the current picture). --- Michael: does this fix your fuzz case for num_long_term_sps? Thanks, - Mark libavcodec/cbs_h265_syntax_template.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index d09934cfeb..5d216aad36 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -1369,6 +1369,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, if (current->nal_unit_header.nal_unit_type != HEVC_NAL_IDR_W_RADL && current->nal_unit_header.nal_unit_type != HEVC_NAL_IDR_N_LP) { const H265RawSTRefPicSet *rps; + int dpb_slots_remaining; ub(sps->log2_max_pic_order_cnt_lsb_minus4 + 4, slice_pic_order_cnt_lsb); @@ -1387,6 +1388,22 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, rps = &sps->st_ref_pic_set[0]; } + dpb_slots_remaining = HEVC_MAX_DPB_SIZE - 1 - + rps->num_negative_pics - rps->num_positive_pics; + if (pps->pps_curr_pic_ref_enabled_flag && + (sps->sample_adaptive_offset_enabled_flag || + !pps->pps_deblocking_filter_disabled_flag || + pps->deblocking_filter_override_enabled_flag)) { + // This picture will occupy two DPB slots. + if (dpb_slots_remaining == 0) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid stream: " + "short-term ref pic set contains too many pictures " + "to use with current picture reference enabled.\n"); + return AVERROR_INVALIDDATA; + } + --dpb_slots_remaining; + } + num_pic_total_curr = 0; for (i = 0; i < rps->num_negative_pics; i++) if (rps->used_by_curr_pic_s0_flag[i]) @@ -1399,13 +1416,15 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, unsigned int idx_size; if (sps->num_long_term_ref_pics_sps > 0) { - ue(num_long_term_sps, 0, sps->num_long_term_ref_pics_sps); + ue(num_long_term_sps, 0, FFMIN(sps->num_long_term_ref_pics_sps, + dpb_slots_remaining)); idx_size = av_log2(sps->num_long_term_ref_pics_sps - 1) + 1; + dpb_slots_remaining -= current->num_long_term_sps; } else { infer(num_long_term_sps, 0); idx_size = 0; } - ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps); + ue(num_long_term_pics, 0, dpb_slots_remaining); for (i = 0; i < current->num_long_term_sps + current->num_long_term_pics; i++) {