subject:"\[FFmpeg\-cvslog\] avcodec\/h2645\: Fix NAL unit padding"

[FFmpeg-cvslog] avcodec/h2645: Fix NAL unit padding

2016-08-24 Thread Michael Niedermayer

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Thu Aug 18 20:41:31 2016 +0200| [055e5c80ee07bb7911016a552df35ad25f7eebdd] | 
committer: Michael Niedermayer

avcodec/h2645: Fix NAL unit padding

The parser changes have lost the support for the needed padding, this adds it 
back
Fixes out of array reads
Fixes: 
03ea21d271abc8acf428d42ace51d8b4/asan_heap-oob_3358eef_5692_16f0cc01ab5225e9ce591659e5c20e35.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=055e5c80ee07bb7911016a552df35ad25f7eebdd
---

 libavcodec/h264.c|  2 +-
 libavcodec/h264.h|  2 --
 libavcodec/h2645_parse.c | 11 ++-
 libavcodec/h2645_parse.h |  6 --
 libavcodec/h264_parse.c  |  2 +-
 libavcodec/h264_parser.c |  2 +-
 libavcodec/hevc.c|  2 +-
 libavcodec/hevc_parser.c |  4 ++--
 libavcodec/qsvenc_hevc.c |  2 +-
 9 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index a61379c..a56f900 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -898,7 +898,7 @@ static int decode_nal_units(H264Context *h, const uint8_t 
*buf, int buf_size)
 }
 
 ret = ff_h2645_packet_split(>pkt, buf, buf_size, avctx, h->is_avc,
-h->nal_length_size, avctx->codec_id);
+h->nal_length_size, avctx->codec_id, 
avctx->flags2 & AV_CODEC_FLAG2_FAST);
 if (ret < 0) {
 av_log(avctx, AV_LOG_ERROR,
"Error splitting the input into NAL units.\n");
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index efe3555..309f91d 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -57,8 +57,6 @@
 
 #define MAX_DELAYED_PIC_COUNT  16
 
-#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if 
someone cares about a few bytes
-
 /* Compiling in interlaced support reduces the speed
  * of progressive decoding by about 2%. */
 #define ALLOW_INTERLACE
diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c
index 9979b63..d2fa5a0 100644
--- a/libavcodec/h2645_parse.c
+++ b/libavcodec/h2645_parse.c
@@ -30,10 +30,11 @@
 #include "h2645_parse.h"
 
 int ff_h2645_extract_rbsp(const uint8_t *src, int length,
-  H2645NAL *nal)
+  H2645NAL *nal, int small_padding)
 {
 int i, si, di;
 uint8_t *dst;
+int64_t padding = small_padding ? AV_INPUT_BUFFER_PADDING_SIZE : 
MAX_MBPAIR_SIZE;
 
 nal->skipped_bytes = 0;
 #define STARTCODE_TEST  \
@@ -81,7 +82,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length,
 }
 #endif /* HAVE_FAST_UNALIGNED */
 
-if (i >= length - 1) { // no escaped 0
+if (i >= length - 1 && small_padding) { // no escaped 0
 nal->data =
 nal->raw_data = src;
 nal->size =
@@ -90,7 +91,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length,
 }
 
 av_fast_malloc(>rbsp_buffer, >rbsp_buffer_size,
-   length + AV_INPUT_BUFFER_PADDING_SIZE);
+   length + padding);
 if (!nal->rbsp_buffer)
 return AVERROR(ENOMEM);
 
@@ -247,7 +248,7 @@ static int h264_parse_nal_header(H2645NAL *nal, void 
*logctx)
 
 int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length,
   void *logctx, int is_nalff, int nal_length_size,
-  enum AVCodecID codec_id)
+  enum AVCodecID codec_id, int small_padding)
 {
 int consumed, ret = 0;
 const uint8_t *next_avc = is_nalff ? buf : buf + length;
@@ -322,7 +323,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t 
*buf, int length,
 }
 nal = >nals[pkt->nb_nals];
 
-consumed = ff_h2645_extract_rbsp(buf, extract_length, nal);
+consumed = ff_h2645_extract_rbsp(buf, extract_length, nal, 
small_padding);
 if (consumed < 0)
 return consumed;
 
diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h
index a3c7e1f..6302359 100644
--- a/libavcodec/h2645_parse.h
+++ b/libavcodec/h2645_parse.h
@@ -26,6 +26,8 @@
 #include "avcodec.h"
 #include "get_bits.h"
 
+#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if 
someone cares about a few bytes
+
 typedef struct H2645NAL {
 uint8_t *rbsp_buffer;
 int rbsp_buffer_size;
@@ -74,14 +76,14 @@ typedef struct H2645Packet {
  * Extract the raw (unescaped) bitstream.
  */
 int ff_h2645_extract_rbsp(const uint8_t *src, int length,
-  H2645NAL *nal);
+  H2645NAL *nal, int small_padding);
 
 /**
  * Split an input packet into NAL units.
  */
 int ff_h2645_packet_split(H2645Packet *pkt,

[FFmpeg-cvslog] avcodec/h2645: Fix NAL unit padding

2016-08-18 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Aug 18 20:41:31 2016 +0200| [cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b] | 
committer: Michael Niedermayer

avcodec/h2645: Fix NAL unit padding

The parser changes have lost the support for the needed padding, this adds it 
back
Fixes out of array reads
Fixes: 
03ea21d271abc8acf428d42ace51d8b4/asan_heap-oob_3358eef_5692_16f0cc01ab5225e9ce591659e5c20e35.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b
---

 libavcodec/h2645_parse.c | 11 ++-
 libavcodec/h2645_parse.h |  6 --
 libavcodec/h264_parse.c  |  2 +-
 libavcodec/h264_parser.c |  2 +-
 libavcodec/h264dec.c |  2 +-
 libavcodec/h264dec.h |  2 --
 libavcodec/hevc.c|  2 +-
 libavcodec/hevc_parser.c |  4 ++--
 libavcodec/qsvenc_hevc.c |  2 +-
 9 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c
index ef872fe..4ed4c9a 100644
--- a/libavcodec/h2645_parse.c
+++ b/libavcodec/h2645_parse.c
@@ -30,10 +30,11 @@
 #include "h2645_parse.h"
 
 int ff_h2645_extract_rbsp(const uint8_t *src, int length,
-  H2645NAL *nal)
+  H2645NAL *nal, int small_padding)
 {
 int i, si, di;
 uint8_t *dst;
+int64_t padding = small_padding ? AV_INPUT_BUFFER_PADDING_SIZE : 
MAX_MBPAIR_SIZE;
 
 nal->skipped_bytes = 0;
 #define STARTCODE_TEST  \
@@ -81,7 +82,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length,
 }
 #endif /* HAVE_FAST_UNALIGNED */
 
-if (i >= length - 1) { // no escaped 0
+if (i >= length - 1 && small_padding) { // no escaped 0
 nal->data =
 nal->raw_data = src;
 nal->size =
@@ -90,7 +91,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length,
 }
 
 av_fast_malloc(>rbsp_buffer, >rbsp_buffer_size,
-   length + AV_INPUT_BUFFER_PADDING_SIZE);
+   length + padding);
 if (!nal->rbsp_buffer)
 return AVERROR(ENOMEM);
 
@@ -247,7 +248,7 @@ static int h264_parse_nal_header(H2645NAL *nal, void 
*logctx)
 
 int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length,
   void *logctx, int is_nalff, int nal_length_size,
-  enum AVCodecID codec_id)
+  enum AVCodecID codec_id, int small_padding)
 {
 int consumed, ret = 0;
 const uint8_t *next_avc = is_nalff ? buf : buf + length;
@@ -325,7 +326,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t 
*buf, int length,
 }
 nal = >nals[pkt->nb_nals];
 
-consumed = ff_h2645_extract_rbsp(buf, extract_length, nal);
+consumed = ff_h2645_extract_rbsp(buf, extract_length, nal, 
small_padding);
 if (consumed < 0)
 return consumed;
 
diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h
index a3c7e1f..6302359 100644
--- a/libavcodec/h2645_parse.h
+++ b/libavcodec/h2645_parse.h
@@ -26,6 +26,8 @@
 #include "avcodec.h"
 #include "get_bits.h"
 
+#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if 
someone cares about a few bytes
+
 typedef struct H2645NAL {
 uint8_t *rbsp_buffer;
 int rbsp_buffer_size;
@@ -74,14 +76,14 @@ typedef struct H2645Packet {
  * Extract the raw (unescaped) bitstream.
  */
 int ff_h2645_extract_rbsp(const uint8_t *src, int length,
-  H2645NAL *nal);
+  H2645NAL *nal, int small_padding);
 
 /**
  * Split an input packet into NAL units.
  */
 int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length,
   void *logctx, int is_nalff, int nal_length_size,
-  enum AVCodecID codec_id);
+  enum AVCodecID codec_id, int small_padding);
 
 /**
  * Free all the allocated memory in the packet.
diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index 1d4b1e4..0c87319 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -337,7 +337,7 @@ static int decode_extradata_ps(const uint8_t *data, int 
size, H264ParamSets *ps,
 H2645Packet pkt = { 0 };
 int i, ret = 0;
 
-ret = ff_h2645_packet_split(, data, size, logctx, is_avc, 2, 
AV_CODEC_ID_H264);
+ret = ff_h2645_packet_split(, data, size, logctx, is_avc, 2, 
AV_CODEC_ID_H264, 1);
 if (ret < 0) {
 ret = 0;
 goto fail;
diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c
index 0352b21..8abe05d 100644
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -318,7 +318,7 @@ static inline int parse_nal_units(AVCodecParserContext *s,
 }
 break;
 }
-consumed = ff_h2645_extract_rbsp(buf + buf_index,

[FFmpeg-cvslog] avcodec/h2645: Fix NAL unit padding

[FFmpeg-cvslog] avcodec/h2645: Fix NAL unit padding

2 matches

Site Navigation

Mail list logo

Footer information