From patchwork Sun May 26 09:16:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Plowman <post@frankplowman.com>
X-Patchwork-Id: 49268
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:542:0:b0:460:55fa:d5ed with SMTP id 63csp2659273vqf;
        Sun, 26 May 2024 02:16:38 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVqeLantBzGqaB9hLPzdYvYnkbxs+d/H0lrfF0AgY0mik6dDsGuoH1DdYTYo2iyIHu4V5dS1NxFEfwBo/xQFmCXuUB02o1E0Lm7XA==
X-Google-Smtp-Source: 
 AGHT+IG3oxsX/DGeKYAe2+Osw7ZHzzhBa/QUwrTogUtgHtH1TS2OXoZzi5cQbeg1v1yr66GP4XkA
X-Received: by 2002:a50:9f62:0:b0:578:68a1:8f74 with SMTP id
 4fb4d7f45d1cf-57868a19101mr1743662a12.19.1716714997844;
        Sun, 26 May 2024 02:16:37 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 4fb4d7f45d1cf-5785245feb1si2791141a12.291.2024.05.26.02.16.37;
        Sun, 26 May 2024 02:16:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@frankplowman.com
 header.s=zmail header.b=KUo4Nln3;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 66DC168D4AE;
	Sun, 26 May 2024 12:16:33 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 36FA768CBDF
 for <ffmpeg-devel@ffmpeg.org>; Sun, 26 May 2024 12:16:27 +0300 (EEST)
Delivered-To: post@frankplowman.com
ARC-Seal: i=1; a=rsa-sha256; t=1716714983; cv=none; d=zohomail.eu; s=zohoarc;
 b=lDYtik7c7z0REhkv/2AB7IAVT/kMreY9w0Vq0CWutjIv3ARx6PpsGbe+cgCz96w0Li9Jc/G94eB9+ukHL7zo90paGX34POUjG29L//6soEWHkmSAij3e+2ENKyqmMq5t6rQenOWn6njYe/8XWR2NtlgTyw5/q0dVXkpdsc2ALOA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1716714983;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=t7Ymhs1oFcVLpEzSDG9MfZ7gccRy1+xrpFw+LFE92zo=;
 b=P1zhL3sf9GENdAZGQji0E1b9/KeedM8fOlK66E5GWomrkke2t6vQmK0uwB5Tu1s7XYbnTcbGGyAhUHd8/BncWocYvVLu6Ty0MmznxkTILySWknrlYhI2aHgvPEyBjnQ3HT4AfjnBOF430LZMQUdxHpZxoefUNGhVbNGSkjgFdXQ=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1716714983;
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=t7Ymhs1oFcVLpEzSDG9MfZ7gccRy1+xrpFw+LFE92zo=;
 b=KUo4Nln3Bnf2Gc8yKcMxPZH/XeJCv9sw0F8dfS3gGyzcHsjCdaTFUs87OlyVgHzM
 0tO89fBfuWXwh+0tQpFMT/W7pDBnKJjnVXNX/cCZT6vji6ASVQ2EL/2CQHGA7LvbJL5
 PL6tiXDMv4LgY5MrXVtLzzJkHXRNAxpqUQE8aIAk=
Received: by mx.zoho.eu with SMTPS id 1716714981132641.5194332818353;
 Sun, 26 May 2024 11:16:21 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 26 May 2024 10:16:18 +0100
Message-ID: <20240526091618.24432-1-post@frankplowman.com>
X-Mailer: git-send-email 2.44.0
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Validate temporal MVP references
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>, Nuo Mi <nuomi2021@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: jx0GaQG78luX

Per VVCv3 p. 157, the collocated reference picture used in temporal
motion vector prediction must have RprConstraintsActiveFlag equal to
zero and the same CTU size as the current picture.  Add these checks,
fixing crashes decoding some fuzzed bitstreams.

Additionally, only set up the collocated reference picture if it is
actually going to be used (i.e. if ph_temporal_mvp_enabled_flag is 1),
else legal RPR bitstreams will fail the new checks.

Co-authored-by: Nuo Mi <nuomi2021@gmail.com>
Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/refs.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c
index fb42963034..8b7ba639a3 100644
--- a/libavcodec/vvc/refs.c
+++ b/libavcodec/vvc/refs.c
@@ -506,9 +506,14 @@ int ff_vvc_slice_rpl(VVCContext *s, VVCFrameContext *fc, SliceContext *sc)
                 return ret;
             }
         }
-        if ((!rsh->sh_collocated_from_l0_flag) == lx &&
-            rsh->sh_collocated_ref_idx < rpl->nb_refs)
-            fc->ref->collocated_ref = rpl->refs[rsh->sh_collocated_ref_idx].ref;
+        if (ph->r->ph_temporal_mvp_enabled_flag &&
+            (!rsh->sh_collocated_from_l0_flag) == lx &&
+            rsh->sh_collocated_ref_idx < rpl->nb_refs) {
+            const VVCRefPic *refp = rpl->refs + rsh->sh_collocated_ref_idx;
+            if (refp->is_scaled || refp->ref->sps->ctb_log2_size_y != sps->ctb_log2_size_y)
+                return AVERROR_INVALIDDATA;
+            fc->ref->collocated_ref = refp->ref;
+        }
     }
     return 0;
 }