From patchwork Thu Sep  8 14:18:26 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthieu Bouron <matthieu.bouron@gmail.com>
X-Patchwork-Id: 480
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.140.134 with SMTP id o128csp855263vsd;
	Thu, 8 Sep 2016 07:18:38 -0700 (PDT)
X-Received: by 10.194.103.106 with SMTP id fv10mr4823814wjb.77.1473344318432;
	Thu, 08 Sep 2016 07:18:38 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id d23si2375950wmh.91.2016.09.08.07.18.35;
	Thu, 08 Sep 2016 07:18:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1B349689F63;
	Thu,  8 Sep 2016 17:18:24 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-yb0-f193.google.com (mail-yb0-f193.google.com
	[209.85.213.193])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 358C1689C09
	for <ffmpeg-devel@ffmpeg.org>; Thu,  8 Sep 2016 17:18:18 +0300 (EEST)
Received: by mail-yb0-f193.google.com with SMTP id g5so1070644yba.1
	for <ffmpeg-devel@ffmpeg.org>; Thu, 08 Sep 2016 07:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
	bh=vi/hYC4GWGgH1SefdGfEBa9lTxdFzYRMMHRG6+a6SEM=;
	b=Mp2EWePDirKDD1mc04xxeUB1ylrL7Q3JBMkfQJMEiTXChryLWsCY2vqt25lUAsQL+Q
	ZKLaBDTuWI2DNPMbvBD1f3BeIYN27cZ8UjldT1NE8NUNSebe0CeQCIo1Aj1fGQXc/r43
	HVVhKXW0VBYgEbs8qZW0Q3gK7sXqTiDWpiOIaaFxjbfurLmXz5vzOTzMWDkUmAajnX7o
	0L3/ORMwOhnq5DP+RuPVy92YP6Us+flS5YOhO0xj+ykwc/cXozeT4VWikC0BGzcoH9t2
	Yp6h8p9GALRHw84DlG4qjQIHNgvMGmF0xJq5e1of6/UA3wbhluQUxmaM1EufE5d+m/US
	cwdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to;
	bh=vi/hYC4GWGgH1SefdGfEBa9lTxdFzYRMMHRG6+a6SEM=;
	b=banlNmLSgNKtSFJRYXQe9INejhBX+t2Tqp5ItUxr55Pysh0VafhwwJeqxBiXw+G25M
	MoUWY2l8KJhLJVjMGA+sPbMHph5bSqZdjTJUkiJvPSBpXlfJUi6UlxhPXuSxtq2BvHUj
	kaReioYGJcasOAUrOXzzvrm9zicFVloilnaEZJzjd9Lob+oc8HX7NLLvI8MpZt+xHM8l
	nt/6lULyeasqVrHZOba+4zVMaE5gEjyiKsQIuvB3es9y/w+sd60OGZL6SfVq+XXiZooL
	mR+49P7J4cVY0rx29W7gvlvelFm9Ge3wGggeo1xl2j3T04E4LdobhDtH/9tgh18fr8i9
	EvHA==
X-Gm-Message-State: 
 AE9vXwMNl2DjjHwac6a7/Z0SFdJzviJfsRLz3OkwVmwG9aL5Lho90dVXAQH5bXeVzZybnyadPMRem1g3Km4ljA==
X-Received: by 10.37.2.22 with SMTP id 22mr19040284ybc.153.1473344307089;
	Thu, 08 Sep 2016 07:18:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.126.68 with HTTP; Thu, 8 Sep 2016 07:18:26 -0700 (PDT)
In-Reply-To: <20160908122841.GO4692@nb4>
References: <20160907145354.2322-1-matthieu.bouron@gmail.com>
	<20160907145354.2322-2-matthieu.bouron@gmail.com>
	<20160908122841.GO4692@nb4>
From: Matthieu Bouron <matthieu.bouron@gmail.com>
Date: Thu, 8 Sep 2016 16:18:26 +0200
Message-ID: 
 <CAOmVQXHOKWaxhbumfxx2Eu39-6_YEPApqbgc3snpxWRRgWenwg@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: Re: [FFmpeg-devel] [PATCH 1/2] lavc/hevc: store VPS/SPS/PPS data
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

On Thu, Sep 8, 2016 at 2:28 PM, Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Wed, Sep 07, 2016 at 04:53:53PM +0200, Matthieu Bouron wrote:
> > From: Matthieu Bouron <matthieu.bouron@stupeflix.com>
> >
> > ---
> >  libavcodec/hevc.h    |  9 +++++++++
> >  libavcodec/hevc_ps.c | 27 +++++++++++++++++++++++++++
> >  2 files changed, 36 insertions(+)
> >
> > diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
> > index be91010..6a3c750 100644
> > --- a/libavcodec/hevc.h
> > +++ b/libavcodec/hevc.h
> > @@ -387,6 +387,9 @@ typedef struct HEVCVPS {
> >      uint8_t vps_poc_proportional_to_timing_flag;
> >      int vps_num_ticks_poc_diff_one; ///< vps_num_ticks_poc_diff_one_minus1
> + 1
> >      int vps_num_hrd_parameters;
> > +
> > +    uint8_t data[4096];
> > +    int data_size;
> >  } HEVCVPS;
> >
> >  typedef struct ScalingList {
> > @@ -483,6 +486,9 @@ typedef struct HEVCSPS {
> >      int vshift[3];
> >
> >      int qp_bd_offset;
> > +
> > +    uint8_t data[4096];
> > +    int data_size;
> >  } HEVCSPS;
> >
> >  typedef struct HEVCPPS {
> > @@ -557,6 +563,9 @@ typedef struct HEVCPPS {
> >      int *tile_pos_rs;       ///< TilePosRS
> >      int *min_tb_addr_zs;    ///< MinTbAddrZS
> >      int *min_tb_addr_zs_tab;///< MinTbAddrZS
> > +
> > +    uint8_t data[4096];
> > +    int data_size;
> >  } HEVCPPS;
> >
> >  typedef struct HEVCParamSets {
> > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> > index 83f2ec2..629e454 100644
> > --- a/libavcodec/hevc_ps.c
> > +++ b/libavcodec/hevc_ps.c
> > @@ -408,6 +408,15 @@ int ff_hevc_decode_nal_vps(GetBitContext *gb,
> AVCodecContext *avctx,
> >
> >      av_log(avctx, AV_LOG_DEBUG, "Decoding VPS\n");
> >
> > +    vps->data_size = gb->buffer_end - gb->buffer;
>
> This theoretically could overflow, data_size is only an int the pointer
> difference might be larger
>

Updated patch attached.

[...]

From e25cc9920accb43dd4af152358b78160e85d64a2 Mon Sep 17 00:00:00 2001
From: Matthieu Bouron <matthieu.bouron@stupeflix.com>
Date: Wed, 7 Sep 2016 11:36:10 +0200
Subject: [PATCH 1/2] lavc/hevc: store VPS/SPS/PPS data

---
 libavcodec/hevc.h    |  9 +++++++++
 libavcodec/hevc_ps.c | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index be91010..6a3c750 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -387,6 +387,9 @@ typedef struct HEVCVPS {
     uint8_t vps_poc_proportional_to_timing_flag;
     int vps_num_ticks_poc_diff_one; ///< vps_num_ticks_poc_diff_one_minus1 + 1
     int vps_num_hrd_parameters;
+
+    uint8_t data[4096];
+    int data_size;
 } HEVCVPS;
 
 typedef struct ScalingList {
@@ -483,6 +486,9 @@ typedef struct HEVCSPS {
     int vshift[3];
 
     int qp_bd_offset;
+
+    uint8_t data[4096];
+    int data_size;
 } HEVCSPS;
 
 typedef struct HEVCPPS {
@@ -557,6 +563,9 @@ typedef struct HEVCPPS {
     int *tile_pos_rs;       ///< TilePosRS
     int *min_tb_addr_zs;    ///< MinTbAddrZS
     int *min_tb_addr_zs_tab;///< MinTbAddrZS
+
+    uint8_t data[4096];
+    int data_size;
 } HEVCPPS;
 
 typedef struct HEVCParamSets {
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 83f2ec2..d08ba34 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -399,6 +399,7 @@ int ff_hevc_decode_nal_vps(GetBitContext *gb, AVCodecContext *avctx,
 {
     int i,j;
     int vps_id = 0;
+    ptrdiff_t nal_size;
     HEVCVPS *vps;
     AVBufferRef *vps_buf = av_buffer_allocz(sizeof(*vps));
 
@@ -408,6 +409,17 @@ int ff_hevc_decode_nal_vps(GetBitContext *gb, AVCodecContext *avctx,
 
     av_log(avctx, AV_LOG_DEBUG, "Decoding VPS\n");
 
+    nal_size = gb->buffer_end - gb->buffer;
+    if (nal_size > sizeof(vps->data)) {
+        av_log(avctx, AV_LOG_WARNING, "Truncating likely oversized VPS "
+               "(%"PTRDIFF_SPECIFIER" > %"SIZE_SPECIFIER")\n",
+               nal_size, sizeof(vps->data));
+        vps->data_size = sizeof(vps->data);
+    } else {
+        vps->data_size = nal_size;
+    }
+    memcpy(vps->data, gb->buffer, vps->data_size);
+
     vps_id = get_bits(gb, 4);
     if (vps_id >= MAX_VPS_COUNT) {
         av_log(avctx, AV_LOG_ERROR, "VPS id out of range: %d\n", vps_id);
@@ -1177,6 +1189,7 @@ int ff_hevc_decode_nal_sps(GetBitContext *gb, AVCodecContext *avctx,
     AVBufferRef *sps_buf = av_buffer_allocz(sizeof(*sps));
     unsigned int sps_id;
     int ret;
+    ptrdiff_t nal_size;
 
     if (!sps_buf)
         return AVERROR(ENOMEM);
@@ -1184,6 +1197,17 @@ int ff_hevc_decode_nal_sps(GetBitContext *gb, AVCodecContext *avctx,
 
     av_log(avctx, AV_LOG_DEBUG, "Decoding SPS\n");
 
+    nal_size = gb->buffer_end - gb->buffer;
+    if (nal_size > sizeof(sps->data)) {
+        av_log(avctx, AV_LOG_WARNING, "Truncating likely oversized SPS "
+               "(%"PTRDIFF_SPECIFIER" > %"SIZE_SPECIFIER")\n",
+               nal_size, sizeof(sps->data));
+        sps->data_size = sizeof(sps->data);
+    } else {
+        sps->data_size = nal_size;
+    }
+    memcpy(sps->data, gb->buffer, sps->data_size);
+
     ret = ff_hevc_parse_sps(sps, gb, &sps_id,
                             apply_defdispwin,
                             ps->vps_list, avctx);
@@ -1407,6 +1431,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
     HEVCSPS      *sps = NULL;
     int i, ret = 0;
     unsigned int pps_id = 0;
+    ptrdiff_t nal_size;
 
     AVBufferRef *pps_buf;
     HEVCPPS *pps = av_mallocz(sizeof(*pps));
@@ -1423,6 +1448,17 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
 
     av_log(avctx, AV_LOG_DEBUG, "Decoding PPS\n");
 
+    nal_size = gb->buffer_end - gb->buffer;
+    if (nal_size > sizeof(pps->data)) {
+        av_log(avctx, AV_LOG_WARNING, "Truncating likely oversized PPS "
+               "(%"PTRDIFF_SPECIFIER" > %"SIZE_SPECIFIER")\n",
+               nal_size, sizeof(pps->data));
+        pps->data_size = sizeof(pps->data);
+    } else {
+        pps->data_size = nal_size;
+    }
+    memcpy(pps->data, gb->buffer, pps->data_size);
+
     // Default values
     pps->loop_filter_across_tiles_enabled_flag = 1;
     pps->num_tile_columns                      = 1;
-- 
2.9.3