diff mbox

[FFmpeg-devel] pngdec: add ability to check chunk CRC

Message ID L_SeCLv--3-1@lynne.ee
State New
Headers show

Commit Message

Lynne March 8, 2019, 2:15 p.m. UTC 
7 Mar 2019, 21:22 by michael@niedermayer.cc:

> On Thu, Mar 07, 2019 at 07:26:32PM +0100, Lynne wrote:
>
>> By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
>> will skip the chunk and carry on with the next one. This should make the       
>> decoder able to decode more corrupt files because the functions which decode
>> individual chunks will very likely error out if fed invalid data and stop the
>> decoding of the entire image.
>> Should this be made default? CRC verification doesn't take long even for very
>> large files.                                                      
>> Also fix the length check for chunk size. It needs to take into account the
>> 4 byte tag as well as the 4 byte CRC.
>>
>> pngdec.c |   19 ++++++++++++++++++-
>>  1 file changed, 18 insertions(+), 1 deletion(-)
>> 4255c91468cee2bc2fa757fae69762ff5ee5774a  0001-pngdec-add-ability-to-check-chunk-CRC.patch
>> From 7aff99d12faf557753c5ee860a9672c7a09a26e3 Mon Sep 17 00:00:00 2001
>> From: Lynne <>> dev@lynne.ee <mailto:dev@lynne.ee>>> >
>> Date: Thu, 7 Mar 2019 18:15:23 +0000
>> Subject: [PATCH] pngdec: add ability to check chunk CRC
>>
>> By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
>> will skip the chunk and carry on with the next one. This should make the
>> decoder able to decode more corrupt files because the functions which decode
>> individual chunks will very likely error out if fed invalid data and stop the
>> decoding of the entire image.
>> Should this be made default? CRC verification doesn't take long even for very
>> large files.
>>
>
> i would tend toward enabling it by default but maybe first post some
> numbers of how much this changes decode time 
>

For the largest png I found: https://vk.com/doc218587497_437472325?hash=51300ca9ba40f462ac&dl=1bcf9a57b0d989da1f <https://vk.com/doc218587497_437472325?hash=51300ca9ba40f462ac&dl=1bcf9a57b0d989da1f>

There was no increase in decoding time, it took 2.3 seconds on my machine
with and without -err_detect crccheck.

With -err_detect crccheck perf reported 2.52% spent in av_crc


>> Also fix the length check for chunk size. It needs to take into account the
>> 4 byte tag as well as the 4 byte CRC.
>>
>
> this should be a seperate patch as its unrelated
>

removed and attached new patch file

Maybe always enabling the CRC check isn't worth it since if you download from
the internet you could either get a full error-free file or an incomplete one
rather than a corrupt one. Maybe only for torrents with huge png files where
not all chunks have been downloaded yet, or broken hard drives, but the ignore_err
flag could be manually enabled in those cases.

Comments

Michael Niedermayer March 18, 2019, 11:44 p.m. UTC | #1 
On Fri, Mar 08, 2019 at 03:15:40PM +0100, Lynne wrote:
> 7 Mar 2019, 21:22 by michael@niedermayer.cc:
> 
> > On Thu, Mar 07, 2019 at 07:26:32PM +0100, Lynne wrote:
> >
> >> By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
> >> will skip the chunk and carry on with the next one. This should make the       
> >> decoder able to decode more corrupt files because the functions which decode
> >> individual chunks will very likely error out if fed invalid data and stop the
> >> decoding of the entire image.
> >> Should this be made default? CRC verification doesn't take long even for very
> >> large files.                                                      
> >> Also fix the length check for chunk size. It needs to take into account the
> >> 4 byte tag as well as the 4 byte CRC.
> >>
> >> pngdec.c |   19 ++++++++++++++++++-
> >>  1 file changed, 18 insertions(+), 1 deletion(-)
> >> 4255c91468cee2bc2fa757fae69762ff5ee5774a  0001-pngdec-add-ability-to-check-chunk-CRC.patch
> >> From 7aff99d12faf557753c5ee860a9672c7a09a26e3 Mon Sep 17 00:00:00 2001
> >> From: Lynne <>> dev@lynne.ee <mailto:dev@lynne.ee>>> >
> >> Date: Thu, 7 Mar 2019 18:15:23 +0000
> >> Subject: [PATCH] pngdec: add ability to check chunk CRC
> >>
> >> By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
> >> will skip the chunk and carry on with the next one. This should make the
> >> decoder able to decode more corrupt files because the functions which decode
> >> individual chunks will very likely error out if fed invalid data and stop the
> >> decoding of the entire image.
> >> Should this be made default? CRC verification doesn't take long even for very
> >> large files.
> >>
> >
> > i would tend toward enabling it by default but maybe first post some
> > numbers of how much this changes decode time 
> >
> 
> For the largest png I found: https://vk.com/doc218587497_437472325?hash=51300ca9ba40f462ac&dl=1bcf9a57b0d989da1f <https://vk.com/doc218587497_437472325?hash=51300ca9ba40f462ac&dl=1bcf9a57b0d989da1f>
> 
> There was no increase in decoding time, it took 2.3 seconds on my machine
> with and without -err_detect crccheck.
> 
> With -err_detect crccheck perf reported 2.52% spent in av_crc
> 
> 
> >> Also fix the length check for chunk size. It needs to take into account the
> >> 4 byte tag as well as the 4 byte CRC.
> >>
> >
> > this should be a seperate patch as its unrelated
> >
> 
> removed and attached new patch file
> 
> Maybe always enabling the CRC check isn't worth it since if you download from
> the internet you could either get a full error-free file or an incomplete one
> rather than a corrupt one. Maybe only for torrents with huge png files where
> not all chunks have been downloaded yet, or broken hard drives, but the ignore_err
> flag could be manually enabled in those cases.

>  pngdec.c |   17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 57ccb0b81aeca1e08bc0f1475c048007d7f32c26  0001-pngdec-add-ability-to-check-chunk-CRC.patch
> From b911d3cb36828ad3c910ca6bf8b96a58ce398191 Mon Sep 17 00:00:00 2001
> From: Lynne <dev@lynne.ee>
> Date: Thu, 7 Mar 2019 18:15:23 +0000
> Subject: [PATCH] pngdec: add ability to check chunk CRC
> 
> By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
> will skip the chunk and carry on with the next one. This should make the
> decoder able to decode more corrupt files because the functions which decode
> individual chunks will very likely error out if fed invalid data and stop the
> decoding of the entire image.
> ---
>  libavcodec/pngdec.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
> index 189bb9a4c1..9743f1cb76 100644
> --- a/libavcodec/pngdec.c
> +++ b/libavcodec/pngdec.c
> @@ -23,6 +23,7 @@
>  
>  #include "libavutil/avassert.h"
>  #include "libavutil/bprint.h"
> +#include "libavutil/crc.h"
>  #include "libavutil/imgutils.h"
>  #include "libavutil/stereo3d.h"
>  #include "libavutil/mastering_display_metadata.h"
> @@ -1169,6 +1170,7 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s,
>  static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
>                                 AVFrame *p, AVPacket *avpkt)
>  {
> +    const AVCRC *crc_tab = av_crc_get_table(AV_CRC_32_IEEE_LE);
>      AVDictionary **metadatap = NULL;
>      uint32_t tag, length;
>      int decode_next_dat = 0;
> @@ -1203,6 +1205,21 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
>              ret = AVERROR_INVALIDDATA;
>              goto fail;
>          }
> +        if (avctx->err_recognition & (AV_EF_CRCCHECK | AV_EF_IGNORE_ERR)) {

The usage of AV_EF_IGNORE_ERR is incorrect.
the code does the opposite of what the flag means
what the code does is handle errors when the flag says dont


> +            uint32_t crc_sig = AV_RB32(s->gb.buffer + length + 4);
> +            uint32_t crc_cal = ~av_crc(crc_tab, UINT32_MAX, s->gb.buffer, length + 4);
> +            if (crc_sig ^ crc_cal) {
> +                av_log(avctx, AV_LOG_ERROR, "CRC mismatch in chunk");
> +                if (avctx->err_recognition & AV_EF_EXPLODE) {
> +                    av_log(avctx, AV_LOG_ERROR, ", quitting\n");
> +                    ret = AVERROR_INVALIDDATA;
> +                    goto fail;
> +                }

> +                av_log(avctx, AV_LOG_ERROR, ", skipping\n");
> +                bytestream2_skip(&s->gb, 4); /* tag */
> +                goto skip_tag;

for which tags is it better to skip them completely than to attempt
to decode ?
For essential tags where without it there is no output, decoding
should be better than skiping

Skiping a tag makes sense when theres a high chance decoding it would
make the output worse.
An example of this is data in a slice in MPEG after damage. This would ruin
the affected area with funny looking blocks. The error concealment code
filling that in from a previous frame is better looking and likely closer
to the original frame.

How does skiping a tag in a PNG that fails CRC improve the output ?


> +            }
> +        }
>          tag = bytestream2_get_le32(&s->gb);
>          if (avctx->debug & FF_DEBUG_STARTCODE)
>              av_log(avctx, AV_LOG_DEBUG, "png: tag=%s length=%u\n",
> -- 
> 2.21.0
> 

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
diff mbox

Patch

From b911d3cb36828ad3c910ca6bf8b96a58ce398191 Mon Sep 17 00:00:00 2001
From: Lynne <dev@lynne.ee>
Date: Thu, 7 Mar 2019 18:15:23 +0000
Subject: [PATCH] pngdec: add ability to check chunk CRC

By default now, if AV_EF_CRCCHECK or AV_EF_IGNORE_ERR are enabled the decoder
will skip the chunk and carry on with the next one. This should make the
decoder able to decode more corrupt files because the functions which decode
individual chunks will very likely error out if fed invalid data and stop the
decoding of the entire image.
---
 libavcodec/pngdec.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 189bb9a4c1..9743f1cb76 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -23,6 +23,7 @@ 
 
 #include "libavutil/avassert.h"
 #include "libavutil/bprint.h"
+#include "libavutil/crc.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/stereo3d.h"
 #include "libavutil/mastering_display_metadata.h"
@@ -1169,6 +1170,7 @@  static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s,
 static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
                                AVFrame *p, AVPacket *avpkt)
 {
+    const AVCRC *crc_tab = av_crc_get_table(AV_CRC_32_IEEE_LE);
     AVDictionary **metadatap = NULL;
     uint32_t tag, length;
     int decode_next_dat = 0;
@@ -1203,6 +1205,21 @@  static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             ret = AVERROR_INVALIDDATA;
             goto fail;
         }
+        if (avctx->err_recognition & (AV_EF_CRCCHECK | AV_EF_IGNORE_ERR)) {
+            uint32_t crc_sig = AV_RB32(s->gb.buffer + length + 4);
+            uint32_t crc_cal = ~av_crc(crc_tab, UINT32_MAX, s->gb.buffer, length + 4);
+            if (crc_sig ^ crc_cal) {
+                av_log(avctx, AV_LOG_ERROR, "CRC mismatch in chunk");
+                if (avctx->err_recognition & AV_EF_EXPLODE) {
+                    av_log(avctx, AV_LOG_ERROR, ", quitting\n");
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
+                av_log(avctx, AV_LOG_ERROR, ", skipping\n");
+                bytestream2_skip(&s->gb, 4); /* tag */
+                goto skip_tag;
+            }
+        }
         tag = bytestream2_get_le32(&s->gb);
         if (avctx->debug & FF_DEBUG_STARTCODE)
             av_log(avctx, AV_LOG_DEBUG, "png: tag=%s length=%u\n",
-- 
2.21.0