From patchwork Wed Jun 5 09:10:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Frank Plowman X-Patchwork-Id: 49569 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:d792:0:b0:460:55fa:d5ed with SMTP id db18csp240954vqb; Wed, 5 Jun 2024 02:11:11 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW37+JOkPh6KYw21wmIII7dzu6QKBF6lhn9A7ENiAg8r0LzinWqNNUBkTT7b8zYwDyyme3VZG5dG8/z5c1Tx6V2IQoIM37yHI4jcQ== X-Google-Smtp-Source: AGHT+IEwQZbpqGkMUU53Bh43MvZx19Ly9w3jwJfkqxu6rP2y63+PIOF53cSDteoDgPTd2t1Ujcop X-Received: by 2002:a17:906:35d5:b0:a68:a572:fd92 with SMTP id a640c23a62f3a-a699f5613edmr121890266b.29.1717578671072; Wed, 05 Jun 2024 02:11:11 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a68ae08b9c5si463124166b.923.2024.06.05.02.11.09; Wed, 05 Jun 2024 02:11:11 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@frankplowman.com header.s=zmail header.b=cYI19anq; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 436D868D67A; Wed, 5 Jun 2024 12:11:06 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E570468D67A for ; Wed, 5 Jun 2024 12:10:58 +0300 (EEST) Delivered-To: post@frankplowman.com ARC-Seal: i=1; a=rsa-sha256; t=1717578657; cv=none; d=zohomail.eu; s=zohoarc; b=CsfmjF0VijndTzoRDkEzilXbbPdNuTH6rt/YePhgq0T0tLFcFEdcNsY6hphPyG1gIamVb4xDbhJX3K9bRoPPH+TNsFuSmbtYCg8FX7GgzWGjuNbZ2K6757dbmXfpQ0UhF/zRy1biNxwjSAz0mVLOeHZU8ZBdAoFRSVDY/mNIo4E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1717578657; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=jv+HXfpqFNMEF2rlKXaq9mUJ6FDzIb73Lgknuex9umM=; b=ZoEpwafO7BBq9AfBclHTqPFs0IW6hLjlA1KaBJzfwhpqyy2ANKNEoBW7o5CuNlbQpktwqf4qi+zxTaQqFzKCaqyt/oqUNYmK7k0TCDhIpXZ+DhX8UIGWWLgFidsK2nj2DadLN/AjHvmuzE1iJA3yLeiwSvIiw+RyIzck1f46uJ0= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=frankplowman.com; spf=pass smtp.mailfrom=post@frankplowman.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1717578657; s=zmail; d=frankplowman.com; i=post@frankplowman.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=jv+HXfpqFNMEF2rlKXaq9mUJ6FDzIb73Lgknuex9umM=; b=cYI19anqBXjC8C381BYH+1E9CfZDsSilJSKoG4lJNbkV4l8gFEhBB/+TjW9kPwow fRzi+94PhTb9s3I7hcwpgMAE2madOxDKLUNG9bYZLp/B13U/CWlPYnlNVxRvMBiTAJQ h55nBAeMQL7fFNcHWYvmqhi4TDyx5RBm4kBNVeBo= Received: by mx.zoho.eu with SMTPS id 1717578654951590.2826682364046; Wed, 5 Jun 2024 11:10:54 +0200 (CEST) From: Frank Plowman To: ffmpeg-devel@ffmpeg.org Date: Wed, 5 Jun 2024 10:10:52 +0100 Message-ID: <20240605091052.81808-1-post@frankplowman.com> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 X-ZohoMailClient: External Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Prevent overflow in chroma QP derivation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Frank Plowman Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: WR1dcSjwJUWA On the top of p. 112 in VVC (09/2023): It is a requirement of bitstream conformance that the values of qpInVal[ i ][ j ] and qpOutVal[ i ][ j ] shall be in the range of −QpBdOffset to 63, inclusive for i in the range of 0 to numQpTables − 1, inclusive, and j in the range of 0 to sps_num_points_in_qp_table_minus1[ i ] + 1, inclusive. Signed-off-by: Frank Plowman --- libavcodec/vvc/ps.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c index 1b23675c98..b024caf460 100644 --- a/libavcodec/vvc/ps.c +++ b/libavcodec/vvc/ps.c @@ -101,9 +101,14 @@ static int sps_chroma_qp_table(VVCSPS *sps) qp_out[0] = qp_in[0] = r->sps_qp_table_start_minus26[i] + 26; for (int j = 0; j < num_points_in_qp_table; j++ ) { + const uint8_t delta_qp_out = (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]); delta_qp_in[j] = r->sps_delta_qp_in_val_minus1[i][j] + 1; + if (qp_in[j] + delta_qp_in[j] > 63) + return AVERROR_INVALIDDATA; qp_in[j+1] = qp_in[j] + delta_qp_in[j]; - qp_out[j+1] = qp_out[j] + (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]); + if (qp_out[j] + delta_qp_out > 63) + return AVERROR_INVALIDDATA; + qp_out[j+1] = qp_out[j] + delta_qp_out; } sps->chroma_qp_table[i][qp_in[0] + off] = qp_out[0]; for (int k = qp_in[0] - 1 + off; k >= 0; k--)