From patchwork Fri Jan 5 00:34:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Dai, Jianhui J" X-Patchwork-Id: 45483 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:61f:b0:194:e134:edd4 with SMTP id ll31csp90330pzb; Thu, 4 Jan 2024 16:35:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IHlmXcnnSKszPcCwdqV3GePAz7GLoyYzyl43HvzVXaT5ssdclm1kVB7c2FrRIzfUoVJpXRV X-Received: by 2002:a50:9b41:0:b0:557:9c9:e6e4 with SMTP id a1-20020a509b41000000b0055709c9e6e4mr726861edj.37.1704414918912; Thu, 04 Jan 2024 16:35:18 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u16-20020a50c050000000b005555859792esi207608edd.63.2024.01.04.16.35.18; Thu, 04 Jan 2024 16:35:18 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel.com header.s=Intel header.b=TTrQ3kfL; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 77FDD68C7EA; Fri, 5 Jan 2024 02:35:15 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.43]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EB30B68CBF5 for ; Fri, 5 Jan 2024 02:35:07 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1704414913; x=1735950913; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=BsqilIiEemgfIgzo9mBLVkV+QAsehdMlMWimRhwc/TU=; b=TTrQ3kfLFewOXq6cYIsp7iFUXmJBqwtG+uxjEE7dTH+OhBx9K0NmyEzT mjSaO2LAgjQQHWTgrAjLKlKNDH31371tOgSfwcpSg+GGWftsvG1dqoy5k HHgtdxjHUUfxf9cm1yy/jHw/AjHfGGlqQQ8dGZzA5PgeBR3pTrVvq3Ofh YS8pZBylkAjOZ+xtCTk458EahHFNqGVp8zUSOhUE6ZmfuMQ2cN5uBvkAq PT+J4xR1SN3xtJ5r1uweaT1mIOvFdFb8FrEAgWvyAYcNVTo9watqCKZSV ck+y3rzOKyYD1C1iRl/PXH5v6hs8oem+xWfkfULn2Ndcqj8rPLikqw7N/ w==; X-IronPort-AV: E=McAfee;i="6600,9927,10943"; a="483568130" X-IronPort-AV: E=Sophos;i="6.04,332,1695711600"; d="scan'208";a="483568130" Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jan 2024 16:35:00 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.04,332,1695711600"; d="scan'208";a="15089539" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmviesa002.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 04 Jan 2024 16:35:00 -0800 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 4 Jan 2024 16:34:59 -0800 Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 4 Jan 2024 16:34:59 -0800 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.168) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 4 Jan 2024 16:34:59 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fJKS278zIjkp9M7JPi7dGc2NFWIDAz92ILWu3XL+RKOLrgswwvIQNdk4wl3bbfS6EyPZh3RYesBt2+vmpvdekZe1Q1pOkc+HP3KkZAwPRN8HLxqjn+meeAel9KZt6vUqm1fLya4qzHuwW/1egl3/ni5ZmpUVK8jo6FVvsCDrhTHxg2OFM+fgE6bl1wkIaQI774g5sM/DpHTODujeiRkSGp7uSQ6AGdM7/MGo2GSQB3KylNNBDraimJ9xQ4trJzRfDNpmUcNR8HMXEtNLmQbzSgUisxld15RtWu1nOBaXzeUpKOax2Vx99ZQr5ylgu/G1BAM0EbmyQZQe/l7msTgiqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3CRlDoeahbfJsJC6DA4qgz1BYIfFfj2IxaFVi3wIC7w=; b=LDs3u/pGJlBM1wqRiQ0RhFG/XdT5+ZZejEveO7YjBI0Obe5MLjwthXU3V+SU7Ub5MmGqEkoEle7DCJpFJ4jjScCWXGxsxje8AEd3E1o5c5AfXjOPELzFGcqeVIKCXiPSDn+29XbWyS2wIEooej4XIwirng03k3+5NK2wKaaNLurnJAJWsqmQgdWyhrH5W48Jglwd+tG1bqipv6qVtNDgt9ByrlTER9JYSrCbwwJsKi5guL2O8plzDh2NCNGeBOw2ZG2Na+JpODbNn3P0UAVGGhTSXaVXM4ASnU96Z6M2hyrrr/lSgehQEiR6Z0RTm3S/1VrckFIvHBJ/9/12fA/qDg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from CH3PR11MB7937.namprd11.prod.outlook.com (2603:10b6:610:12c::15) by PH7PR11MB6699.namprd11.prod.outlook.com (2603:10b6:510:1ad::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Fri, 5 Jan 2024 00:34:57 +0000 Received: from CH3PR11MB7937.namprd11.prod.outlook.com ([fe80::36df:9084:c6e3:6845]) by CH3PR11MB7937.namprd11.prod.outlook.com ([fe80::36df:9084:c6e3:6845%4]) with mapi id 15.20.7159.015; Fri, 5 Jan 2024 00:34:57 +0000 From: "Dai, Jianhui J" To: "ffmpeg-devel@ffmpeg.org" Thread-Topic: [PATCH v3] avcodec/cbs_vp8: Use little endian in fixed() and improve the pos check Thread-Index: Adoxhcxe12ag1JunQOSVul2VPdKfUQ== Date: Fri, 5 Jan 2024 00:34:57 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CH3PR11MB7937:EE_|PH7PR11MB6699:EE_ x-ms-office365-filtering-correlation-id: 89dc7fc7-ad9d-4d34-bd08-08dc0d8624b3 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 5RZci7euvSMlsXqpZ41Viclo7vGEyywWS7f9ukyPBA+441BGqqLrp4M0hdIcoiAyqYsQBcDsNXbEqUvwJerhOMoDf4AXenz7DamGYDcrltkHLblEQ0Ru54RHDkvrdJXxF3Giq8NFUJW+RGesMTIqROlGrncEDXhgrSK7RfMhPgtsE7mj2waZ7droLC+6PObBg2XSaiuysnnfXcqEfviZ34DIda+Bp5L0EX37R208g8o3pJG9sf5y68WWTBE4qo/NpwzLBr/sgtseYYEG3fMPuuCiJKmWkjQiByJrHteGkLaPO1rgcEHxricndc46BY53HvZJtDU3O9CobaoDaT9LwoMDQgA5h5VwPouRnN8nKnwRJADoxpxeaIGOXSrAap+JiDa39HLReqKAaERWO9pYCFG6gr04BKbgPtHD+EHFLKpQizMJHtZHPpb7kcuz7tgXqbAHyTm9OPqfRyEIahbElWPsgJt+5lXSM7E/lrvAV3LGep2JCBfbZI9pW5HK1ba0yzU/Mg6seq5M9wRM4GwllrOc5CZUUNtlQBmQ6EPcuwpZ3ypYSxJ0sV+9N9zvxIK6+TxAtOfx2H1vmizS021qhkPXP+DcNMA6A90YkeNKmSBbMCy7vjnZN/vMFGqN7znz x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH3PR11MB7937.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(376002)(366004)(396003)(136003)(346002)(230922051799003)(1800799012)(451199024)(64100799003)(186009)(83380400001)(122000001)(26005)(9686003)(6506007)(5660300002)(8676002)(66446008)(6916009)(2906002)(478600001)(64756008)(66476007)(7696005)(71200400001)(52536014)(38100700002)(8936002)(86362001)(66946007)(76116006)(41300700001)(66556008)(316002)(38070700009)(19627235002)(82960400001)(33656002)(55016003); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: yV4NDkx5IHHWUX88K7owVqbNR+Ufi4YRM/jnEWkrz8npv4Oi/qRDxF1pvmB6ie8sENiNpBWEEZlbKqk8aDW75o5HUWi+thq3c9xR23c3bGh8DGU6gHKW6z08zWo+AEsURQesgWpE1qeX707jYY9ghxM2zZi1ElBzwUybHEr0NVwt1BeeSSyVMEdAz85OcHMhH2zW/f7Z1YTWdSxBi8ngJysQwriMsBygZlmTHV1xxHt3dDuKF6+gC3HLCc2wjuQoVA7sok9U4nW+Mr5q3j7HhH+k3ISYOVGtN48wpd5AA1c8iExrHHLWcXBs6BD90QDY/ev8gRNqhVyBl8+YwDm+7zNE1D3p8NFo4lSn6pBwJ2/XD89JuMR3099k/+gfPPJeMZRRf3cFCUX/tQYghqoik0ozONtdQvhGTucuV98/x9aGGABOFY+OwtcIDKeJYswmmVWZBYb7L4Xfaz0HuM+zlk5VtLCDQ3ymU2wx/93Dw168/+KdVNFCX9YZaOvHub1M/OAhJOkE7HOK82nONO0TYyXwCZSsFPH+FVUQbh0Ce4m9YmZ9xw8Le7VikT34qDKHa0dsBsH84mlW2VHP23F7rTu2ta/fd11r2eLSd7JuJt6zvogFjPt7nrFmkm4T7eQUUG2NujNd+82YUNIzKvTN2RQv8Ik3XV597WyZgAP3k6y+hZ5qcfvgXhguZRRRE7TqeunofTQ0uhDAh+hu7zHhAri01PBz476kVgtGROq0FlYsimFFb3OuQljKCzjY6LwNKFl+VTI94PhMnfu13I+3dVG2MWSbLu14Y5tNZFj9bPSVF0qPBHkp3wY9n+Jf0Uy+wgCgLjJvOcnuZupMF4q3JvG5T5bOigyqs7FkFx8hDOMmgq3qy68ya/s8qclOUz/lgFI4Hba+vKFr9DXFTBcIbpCCO8y0v5Op5fwxZzdzJ8FyA0HAEEAUgriGUD7NjjcyJW3QGi2QjvqoI23Xs0N26ERWNDiXVxfRK63KuzWwFk0OqDLT82fDEFmy2gNuP9RxSmhiRFm/4wiGtus4EHk9/8158WWwPVHj+oUmkK2rM3xjajWH6KMzP8az1Cr0wm7duzC/pQSgggo1tDOoI75BgNlo591DR3+B9aEo2GvuKp9MV8ZOgJWSMU9CiYGFrpP+C3G3FTbWJQEovStR0FJJ0l0+cyGlksPbkLeHAmL/ecYanXAtiZzPwRMgRPHGLQ47FPeHGqfkxWmezu7Wu6pGdWye19iHHHjV4E5I6bVYvaeJj4sHBhw3tf35ayg1xxddTO4hsjr1ZKW2YPfEnVfUNX6ZWWkFMp3kIx33dCUACgtxaRBD1HatGtvxU64EoEdwWrhaMMA03WjX0YRUEpKd6XxQePoRAnV5qh8e79/whWyl2ZR4lKAWS0fJEDWp56kaDiLBNRYzx20bwyeuExErPZ9HD7vHzSNWag+yTgswHsF/Nkge1H5wZXqJ6CDgZwFlkfreiFTQtt6lqvoONvlJnysOV+iFJqvJFxHEtbGDmMUa2U6gCQGY4ytiUyf/zX/yRCGtKhNjwmvifAj2tthWx1InkwXxbX0ZzeR96P0lcWPFjq70n4USHmKFrs8+fhMB MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB7937.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 89dc7fc7-ad9d-4d34-bd08-08dc0d8624b3 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2024 00:34:57.1931 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: zHGue6sUJYwz182iraBOmpurRWVNTUxbaI+55QqrURbvSzjQJ5QGWHXnwVOOAbAX6Z2VqrNxccdvvXfKOyTgiw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6699 X-OriginatorOrg: intel.com Subject: [FFmpeg-devel] [PATCH v3] avcodec/cbs_vp8: Use little endian in fixed() and improve the pos check X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: r1ppji6JpDCQ This commit adds value range checks to cbs_vp8_read_unsigned_le, migrates fixed() to use it, and enforces little-endian consistency for all read methods. The VP8 compressed header may not be byte-aligned due to boolean coding. Use bitwise comparison to prevent the potential overread. TETS: ffmpeg -i fate-suite/vp8-test-vectors-r1/* -vcodec copy -bsf:v trace_headers -f null - Signed-off-by: Jianhui Dai --- libavcodec/cbs_vp8.c | 53 +++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/libavcodec/cbs_vp8.c b/libavcodec/cbs_vp8.c index 065156c248..338d56ed7f 100644 --- a/libavcodec/cbs_vp8.c +++ b/libavcodec/cbs_vp8.c @@ -33,22 +33,22 @@ extern const uint8_t ff_vp8_token_update_probs[4][8][3][11]; typedef struct CBSVP8BoolDecoder { GetBitContext *gbc; - uint8_t value; uint8_t range; - uint8_t count; // Store the number of bits in the `value` buffer. - + uint8_t value; + // Store the number of bits in the `value` buffer. + uint8_t count; } CBSVP8BoolDecoder; -static int cbs_vp8_bool_decoder_init(CBSVP8BoolDecoder *decoder, GetBitContext *gbc) +static int cbs_vp8_bool_decoder_init(CBSVP8BoolDecoder *decoder, + GetBitContext *gbc) { av_assert0(decoder); av_assert0(gbc); decoder->gbc = gbc; - decoder->value = 0; decoder->range = 255; - + decoder->value = 0; decoder->count = 0; return 0; @@ -60,7 +60,7 @@ static bool cbs_vp8_bool_decoder_fill_value(CBSVP8BoolDecoder *decoder) av_assert0(decoder->count <= 8); if (decoder->count == 8) { - return true; + return true; } if (get_bits_left(decoder->gbc) >= bits) { @@ -141,7 +141,7 @@ static int cbs_vp8_bool_decoder_read_unsigned( } if (trace_enable) { - CBS_TRACE_READ_END(); + CBS_TRACE_READ_END(); } *write_to = value; @@ -181,9 +181,11 @@ static int cbs_vp8_bool_decoder_read_signed( return 0; } -static int cbs_vp8_read_unsigned_le(CodedBitstreamContext *ctx, GetBitContext *gbc, - int width, const char *name, - const int *subscripts, uint32_t *write_to) +static int cbs_vp8_read_unsigned_le(CodedBitstreamContext *ctx, + GetBitContext *gbc, int width, + const char *name, const int *subscripts, + uint32_t *write_to, uint32_t range_min, + uint32_t range_max) { int32_t value; @@ -200,6 +202,14 @@ static int cbs_vp8_read_unsigned_le(CodedBitstreamContext *ctx, GetBitContext *g CBS_TRACE_READ_END(); + if (value < range_min || value > range_max) { + av_log(ctx->log_ctx, AV_LOG_ERROR, + "%s out of range: " + "%" PRIu32 ", but must be in [%" PRIu32 ",%" PRIu32 "].\n", + name, value, range_min, range_max); + return AVERROR_INVALIDDATA; + } + *write_to = value; return 0; } @@ -246,15 +256,16 @@ static int cbs_vp8_read_unsigned_le(CodedBitstreamContext *ctx, GetBitContext *g do { \ uint32_t value; \ CHECK(cbs_vp8_read_unsigned_le(ctx, rw, width, #name, \ - SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ + SUBSCRIPTS(subs, __VA_ARGS__), &value, \ + 0, MAX_UINT_BITS(width))); \ current->name = value; \ } while (0) #define fixed(width, name, value) \ do { \ uint32_t fixed_value; \ - CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, 0, &fixed_value, \ - value, value)); \ + CHECK(cbs_vp8_read_unsigned_le(ctx, rw, width, #name, 0, &fixed_value, \ + value, value)); \ } while (0) #define bc_unsigned_subs(width, prob, enable_trace, name, subs, ...) \ @@ -277,6 +288,15 @@ static int cbs_vp8_read_unsigned_le(CodedBitstreamContext *ctx, GetBitContext *g #include "cbs_vp8_syntax_template.c" +#undef READ +#undef READWRITE +#undef RWContext +#undef CBSVP8BoolCodingRW +#undef xf +#undef fixed +#undef bc_unsigned_subs +#undef bc_signed_subs + static int cbs_vp8_split_fragment(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag, int header) { @@ -327,9 +347,10 @@ static int cbs_vp8_read_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + // Position may not be byte-aligned after compressed header; use bit-level + // comparison. pos = get_bits_count(&gbc); - pos /= 8; - av_assert0(pos <= unit->data_size); + av_assert0(pos <= unit->data_size * 8); frame->data_ref = av_buffer_ref(unit->data_ref); if (!frame->data_ref)