From patchwork Sun Jun 9 11:17:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Frank Plowman X-Patchwork-Id: 49740 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c209:0:b0:460:55fa:d5ed with SMTP id d9csp1962027vqo; Sun, 9 Jun 2024 04:18:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUx/hPste4d0uu35ALNcx3yjXsXEfSlzoXcfLY5wh8uqB2lsWwRmOwvOBrYPdwZpeWoiUVYdKNlTShJXWozQFkx7pWQ2HNC1kClWA== X-Google-Smtp-Source: AGHT+IH+rQmBQB2PjkH5+oXYApXfdb871Thp/MNQolbDNAfuoOsFCV0kLE8Aj990KNcLtSYFepfT X-Received: by 2002:a17:907:7789:b0:a66:889f:dd with SMTP id a640c23a62f3a-a6cdbaec9cfmr450582866b.70.1717931923312; Sun, 09 Jun 2024 04:18:43 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a6f0e1d4fb3si120497666b.437.2024.06.09.04.18.42; Sun, 09 Jun 2024 04:18:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@frankplowman.com header.s=zmail header.b="V+IL/IdI"; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EA3CD68D7EE; Sun, 9 Jun 2024 14:18:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CA53868D6B6 for ; Sun, 9 Jun 2024 14:18:32 +0300 (EEST) Delivered-To: post@frankplowman.com ARC-Seal: i=1; a=rsa-sha256; t=1717931909; cv=none; d=zohomail.eu; s=zohoarc; b=T1OCbhddJwbTPfeZlXa/Bnc102Bbqu5rXRrfFXV1XDuz46y/eFIcbQIXiw3MdhiBe+LwG0xbWK99S9aurTMCIiNZP2v0S+lsaBdKEhh2qQBHP7q5dtfShjsV10046625MnVxC4ItMpdkHIdDh6USrx6UPLBlOAlgM5t68PWpEmU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1717931909; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=sjemM1yETnQU/K4VGUZeKf/C4vJXoCjpenVnbx5Anh4=; b=ZBZFPdV9b/Ae9aAwoCCjxhks6qRnBH8L+uH1vbOhqonudH0rmE4SwP5yD99RSmonVp/SrbuikhPhNjT8IuGagSOpBgmJ73iZZCAf+tcQSTMv9/dJqz+BMjTc+RB6lRkRWwQz0yT2mEz3PVc25c4klIRVtzYWts/fu/LIBPxamY0= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=frankplowman.com; spf=pass smtp.mailfrom=post@frankplowman.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1717931909; s=zmail; d=frankplowman.com; i=post@frankplowman.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=sjemM1yETnQU/K4VGUZeKf/C4vJXoCjpenVnbx5Anh4=; b=V+IL/IdIeGLFbce2RabGF9tYtrW3eurj+/nAcZKA/p+8aBvWY6YstQt3izq4CIj0 Hz5InJUB4kd6XeTuN2+7TE+hsPKGiOYgVgRylESai+2TA/rIzG3Eg65SniZUG/QjEdJ y1T5OmcmtgXIy5GKKtDyWoWfPWs6eD26xtmTZ/1k= Received: by mx.zoho.eu with SMTPS id 1717931907989613.385032578423; Sun, 9 Jun 2024 13:18:27 +0200 (CEST) From: Frank Plowman To: ffmpeg-devel@ffmpeg.org Date: Sun, 9 Jun 2024 12:17:26 +0100 Message-ID: <20240609111824.39178-1-post@frankplowman.com> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 X-ZohoMailClient: External Subject: [FFmpeg-devel] [PATCH v4] lavc/vvc: Prevent overflow in chroma QP derivation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Frank Plowman Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: oBVHlAJwgj2B On the top of p. 112 in VVC (09/2023): It is a requirement of bitstream conformance that the values of qpInVal[ i ][ j ] and qpOutVal[ i ][ j ] shall be in the range of −QpBdOffset to 63, inclusive for i in the range of 0 to numQpTables − 1, inclusive, and j in the range of 0 to sps_num_points_in_qp_table_minus1[ i ] + 1, inclusive. Additionally, don't discard the return code from sps_chroma_qp_table. Signed-off-by: Frank Plowman --- Changes since v3: * Add comment noting why qp_{in,out} are not tested themselves. libavcodec/vvc/ps.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c index 1b23675c98..92368eafc2 100644 --- a/libavcodec/vvc/ps.c +++ b/libavcodec/vvc/ps.c @@ -101,9 +101,14 @@ static int sps_chroma_qp_table(VVCSPS *sps) qp_out[0] = qp_in[0] = r->sps_qp_table_start_minus26[i] + 26; for (int j = 0; j < num_points_in_qp_table; j++ ) { + const uint8_t delta_qp_out = (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]); delta_qp_in[j] = r->sps_delta_qp_in_val_minus1[i][j] + 1; + // Note: we cannot check qp_{in,out}[j+1] here as qp_*[j] + delta_qp_* + // may not fit in an 8-bit signed integer. + if (qp_in[j] + delta_qp_in[j] > 63 || qp_out[j] + delta_qp_out > 63) + return AVERROR(EINVAL); qp_in[j+1] = qp_in[j] + delta_qp_in[j]; - qp_out[j+1] = qp_out[j] + (r->sps_delta_qp_in_val_minus1[i][j] ^ r->sps_delta_qp_diff_val[i][j]); + qp_out[j+1] = qp_out[j] + delta_qp_out; } sps->chroma_qp_table[i][qp_in[0] + off] = qp_out[0]; for (int k = qp_in[0] - 1 + off; k >= 0; k--) @@ -186,8 +191,11 @@ static int sps_derive(VVCSPS *sps, void *log_ctx) sps_inter(sps); sps_partition_constraints(sps); sps_ladf(sps); - if (r->sps_chroma_format_idc != 0) - sps_chroma_qp_table(sps); + if (r->sps_chroma_format_idc != 0) { + ret = sps_chroma_qp_table(sps); + if (ret < 0) + return ret; + } return 0; }