The criteria for slice structure validity is similar to that of subpicture structure validity that we saw not too long ago [1]. The relationship between tiles and slices must satisfy the following properties:
* Exhaustivity. All tiles in a picture must belong to a slice. The tiles cover the picture, so this implies the slices must cover the picture. * Mutual exclusivity. No tile may belong to more than one slice, i.e. slices may not overlap. In most cases these properties are guaranteed by the syntax. There is one noticable exception however: when pps_tile_idx_delta_present_flag is equal to one, each slice is associated with a syntax element pps_tile_idx_delta_val[i] which "specifies the difference between the tile index of the tile containing the first CTU in the ( i + 1 )-th rectangular slice and the tile index of the tile containing the first CTU in the i-th rectangular slice" [2]. When these syntax elements are present, the i-th slice can begin anywhere and the usual guarantees provided by the syntax are lost. The patch detects slice structures which violate either of the two properties above, and are therefore invalid, while building the slice map. Should the slice map be determined to be invalid, an AVERROR_INVALIDDATA is returned. This prevents issues including segmentation faults when trying to decode, invalid bitstreams. [1]: https://ffmpeg.org//pipermail/ffmpeg-devel/2024-October/334470.html [2]: H.266 (V3) Section 7.4.3.5, Picture parameter set RBSP semantics Signed-off-by: Frank Plowman <p...@frankplowman.com> --- libavcodec/vvc/ps.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c index a5cf1d74bd..13f1cf02dd 100644 --- a/libavcodec/vvc/ps.c +++ b/libavcodec/vvc/ps.c @@ -460,7 +460,7 @@ static int pps_one_tile_slices(VVCPPS *pps, const int tile_idx, int i, int *off) return i; } -static void pps_multi_tiles_slice(VVCPPS *pps, const int tile_idx, const int i, int *off) +static int pps_multi_tiles_slice(VVCPPS *pps, int tile_idx, const int i, int *off, int *tile_in_slice) { const H266RawPPS *r = pps->r; int rx, ry, tile_x, tile_y; @@ -470,32 +470,53 @@ static void pps_multi_tiles_slice(VVCPPS *pps, const int tile_idx, const int i, pps->num_ctus_in_slice[i] = 0; for (int ty = tile_y; ty <= tile_y + r->pps_slice_height_in_tiles_minus1[i]; ty++) { for (int tx = tile_x; tx <= tile_x + r->pps_slice_width_in_tiles_minus1[i]; tx++) { + tile_idx = ty * r->num_tile_columns + tx; + if (tile_in_slice[tile_idx]) + return AVERROR_INVALIDDATA; + tile_in_slice[tile_idx] = 1; ctu_xy(&rx, &ry, tx, ty, pps); pps->num_ctus_in_slice[i] += pps_add_ctus(pps, off, rx, ry, r->col_width_val[tx], r->row_height_val[ty]); } } + + return 0; } -static void pps_rect_slice(VVCPPS *pps, const VVCSPS *sps) +static int pps_rect_slice(VVCPPS *pps, const VVCSPS *sps) { const H266RawPPS *r = pps->r; + int tile_in_slice[VVC_MAX_TILES_PER_AU] = {0}; int tile_idx = 0, off = 0; + int ret; if (r->pps_single_slice_per_subpic_flag) { pps_single_slice_per_subpic(pps, sps, &off); - return; + return 0; } for (int i = 0; i < r->pps_num_slices_in_pic_minus1 + 1; i++) { if (!r->pps_slice_width_in_tiles_minus1[i] && !r->pps_slice_height_in_tiles_minus1[i]) { + if (tile_in_slice[tile_idx]) { + return AVERROR_INVALIDDATA; + } i = pps_one_tile_slices(pps, tile_idx, i, &off); + tile_in_slice[tile_idx] = 1; } else { - pps_multi_tiles_slice(pps, tile_idx, i, &off); + ret = pps_multi_tiles_slice(pps, tile_idx, i, &off, tile_in_slice); + if (ret < 0) + return ret; } tile_idx = next_tile_idx(tile_idx, i, r); } + + for (int i = 0; i < r->num_tiles_in_pic; i++) { + if (!tile_in_slice[i]) + return AVERROR_INVALIDDATA; + } + + return 0; } static void pps_no_rect_slice(VVCPPS* pps) @@ -513,13 +534,17 @@ static void pps_no_rect_slice(VVCPPS* pps) static int pps_slice_map(VVCPPS *pps, const VVCSPS *sps) { + int ret; + pps->ctb_addr_in_slice = av_calloc(pps->ctb_count, sizeof(*pps->ctb_addr_in_slice)); if (!pps->ctb_addr_in_slice) return AVERROR(ENOMEM); - if (pps->r->pps_rect_slice_flag) - pps_rect_slice(pps, sps); - else + if (pps->r->pps_rect_slice_flag) { + ret = pps_rect_slice(pps, sps); + if (ret < 0) + return AVERROR_INVALIDDATA; + } else pps_no_rect_slice(pps); return 0; -- 2.47.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
