From patchwork Sun May  3 15:30:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Thompson <sw@jkqxz.net>
X-Patchwork-Id: 19451
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id D5C3044B403
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun,  3 May 2020 18:30:09 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B696B68BE73;
	Sun,  3 May 2020 18:30:09 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com
 [209.85.221.65])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 77EB768BE33
 for <ffmpeg-devel@ffmpeg.org>; Sun,  3 May 2020 18:30:02 +0300 (EEST)
Received: by mail-wr1-f65.google.com with SMTP id o27so12556145wra.12
 for <ffmpeg-devel@ffmpeg.org>; Sun, 03 May 2020 08:30:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=jkqxz-net.20150623.gappssmtp.com; s=20150623;
 h=to:from:subject:message-id:date:user-agent:mime-version
 :content-language:content-transfer-encoding;
 bh=xDCj7DH6vTP00iLaUblYPCe9a/cyS+Y6yEON3KpVAV4=;
 b=vNnDdCRXC1UPZmrs3Sx4ID/99wHshRbnx2aNHe9sVkpKoVaq86esLhytvzczQ8QQut
 34FV8t/2deADNYMBaGsMOtcKugkb1qhPGEfZiX+soz7Soa073rZMCIinC9YXEKg8v6FB
 HkyaEPpRKm9Qh4p0ciF3gBc8nUC/8PYIuwvk/8Mu/WZ5wuhiwGIK9W1eWVhKLZB8idoG
 1SzD/KL1FOkoWB/qi585tR37fkH17gos2Kj54uGOuInU7Ky09YBd5bv/HVOtTCf6oQPy
 ecptZ3fp//bgud8rLtyOx80pCVGyAlNMRY0Gt7K+u/1BVMTYFtRXAveyoyqJhoKUB3mP
 dBxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:to:from:subject:message-id:date:user-agent
 :mime-version:content-language:content-transfer-encoding;
 bh=xDCj7DH6vTP00iLaUblYPCe9a/cyS+Y6yEON3KpVAV4=;
 b=uEyADuErzKd7ZAE6vqysYbZMdXzMsizr+Q2IltS4byg0jdCCAGwLAOJdGW32tWUzgL
 FizNlxDLuSf2ksQQFdS+/03j6Az8V0I0/kZN2sdfnCyDCelAAYdCOUAmyLFWmnikJxGd
 DwlWfevPJHack0zjBPqFwcujuyMLYegB6kPg/QDBRIORiMicVK5n4RDLP090oWUJp9T7
 CK8VtzVgUCNvQkrL0hwq7fem8nmagr7T5BHwaCMfWTfqog57MYrqDLUZm6wBmuEm9fXc
 FKuyLBgv3tUcL+b1xi+SYWN1HilAihgsUsAqycTWgGT2jlCiqcFA5pJdbBcon6iFaMCR
 VAKg==
X-Gm-Message-State: AGi0PuYX/i6Fse8axdZuA1chKTMppjzFM1aoYPQ1J8vq7UQDYzQvUVW0
 IrGvaqF1qX+NFRFrtK02FFhKENtRKQ4=
X-Google-Smtp-Source: 
 APiQypLmuho1M+bYIIRyEElgZjRQ0eGZ9xMPff3oZi0I+YsVhEOc+o2gtT2RMu6gvumM12Abilhscg==
X-Received: by 2002:a5d:6a8b:: with SMTP id
 s11mr14212753wru.258.1588519801511;
 Sun, 03 May 2020 08:30:01 -0700 (PDT)
Received: from [192.168.0.3]
 (cpc91242-cmbg18-2-0-cust650.5-4.cable.virginm.net. [82.8.130.139])
 by smtp.gmail.com with ESMTPSA id n25sm10044939wmk.9.2020.05.03.08.30.00
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sun, 03 May 2020 08:30:00 -0700 (PDT)
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
From: Mark Thompson <sw@jkqxz.net>
Message-ID: <f6da67bd-c092-ab7f-71be-c7ff66866542@jkqxz.net>
Date: Sun, 3 May 2020 16:30:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
Content-Language: en-US
Subject: [FFmpeg-devel] [PATCH] cbs_h265: Ensure that a predicted RPS
 doesn't contain too many pictures
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

If the RPS we are predicting from has maximum size then at least one of
the pictures in it must be discarded before adding the current one.

Also revert 588114cea4ee434c9c61353ed91ffc817d2965f5, which added
now-redundant checks for the special case of a too-large RPS with all
pictures being in the same direction from the current one.
---
It would be helpful to test this on the fuzzing samples from 20446/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5707770718584832 which prompted the original incomplete fix.  Is there somewhere I can find them?

 libavcodec/cbs_h265_syntax_template.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c
index 5f5531944c..85ff5e5dc5 100644
--- a/libavcodec/cbs_h265_syntax_template.c
+++ b/libavcodec/cbs_h265_syntax_template.c
@@ -522,7 +522,7 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
         infer(inter_ref_pic_set_prediction_flag, 0);
 
     if (current->inter_ref_pic_set_prediction_flag) {
-        unsigned int ref_rps_idx, num_delta_pocs;
+        unsigned int ref_rps_idx, num_delta_pocs, num_ref_pics;
         const H265RawSTRefPicSet *ref;
         int delta_rps, d_poc;
         int ref_delta_poc_s0[HEVC_MAX_REFS], ref_delta_poc_s1[HEVC_MAX_REFS];
@@ -538,18 +538,28 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
         ref_rps_idx = st_rps_idx - (current->delta_idx_minus1 + 1);
         ref = &sps->st_ref_pic_set[ref_rps_idx];
         num_delta_pocs = ref->num_negative_pics + ref->num_positive_pics;
+        av_assert0(num_delta_pocs < HEVC_MAX_DPB_SIZE);
 
         flag(delta_rps_sign);
         ue(abs_delta_rps_minus1, 0, INT16_MAX);
         delta_rps = (1 - 2 * current->delta_rps_sign) *
             (current->abs_delta_rps_minus1 + 1);
 
+        num_ref_pics = 0;
         for (j = 0; j <= num_delta_pocs; j++) {
             flags(used_by_curr_pic_flag[j], 1, j);
             if (!current->used_by_curr_pic_flag[j])
                 flags(use_delta_flag[j], 1, j);
             else
                 infer(use_delta_flag[j], 1);
+            if (current->use_delta_flag[i])
+                ++num_ref_pics;
+        }
+        if (num_ref_pics >= HEVC_MAX_DPB_SIZE) {
+            av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid stream: "
+                   "short-term ref pic set %d "
+                   "contains too many pictures.\n", st_rps_idx);
+            return AVERROR_INVALIDDATA;
         }
 
         // Since the stored form of an RPS here is actually the delta-step
@@ -601,8 +611,6 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
             }
         }
 
-        if (i > 15)
-            return AVERROR_INVALIDDATA;
         infer(num_negative_pics, i);
         for (i = 0; i < current->num_negative_pics; i++) {
             infer(delta_poc_s0_minus1[i],
@@ -632,8 +640,6 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw,
             }
         }
 
-        if (i + current->num_negative_pics > 15)
-            return AVERROR_INVALIDDATA;
         infer(num_positive_pics, i);
         for (i = 0; i < current->num_positive_pics; i++) {
             infer(delta_poc_s1_minus1[i],