libavcodec.hg: h264.c comparison

comparison h264.c @ 4362:0271b214458b libavcodec

harden h264 decoding to prevent some crashes when input data is corrupted. Patch by Frank %eucloid A gmail P com% date: Jan 18, 2007 6:48 PM subject: Re: [Ffmpeg-devel] h264, protection against corrupted data (second try patch) AND date: Jan 17, 2007 8:22 PM subject: [Ffmpeg-devel] h264, protection against corrupted data this also fixes a possible security issue (the sps and pps ids where not checked, then used as index into an array of sps/pps structs which was then filled with data from the bitstream)

author	gpoirier
date	Fri, 19 Jan 2007 09:37:04 +0000
parents	d18568fb0187
children	9b7662fa4905

comparison

equal deleted inserted replaced

-:f80a3b6c6f00
+:0271b214458b
 /**
 * Picture parameter set
 */
 typedef struct PPS{
-int sps_id;
+unsigned int sps_id;
 int cabac;                  ///< entropy_coding_mode_flag
 int pic_order_present;      ///< pic_order_present_flag
 int slice_group_count;      ///< num_slice_groups_minus1 + 1
 int mb_slice_group_map_type;
 int ref_count[2];           ///< num_ref_idx_l0/1_active_minus1 + 1
 }
 h->rbsp_buffer= av_fast_realloc(h->rbsp_buffer, &h->rbsp_buffer_size, length);
 dst= h->rbsp_buffer;
+if (dst == NULL){
+return NULL;
+}
 //printf("decoding esc\n");
 si=di=0;
 while(si<length){
 //remove escapes (very rare 1:2^22)
 if(si+2<length && src[si]==0 && src[si+1]==0 && src[si+2]<=3){
 if(i>=0)
 ref->pic_id= ref->frame_num;
 }else{
 pic_id= get_ue_golomb(&s->gb); //long_term_pic_idx
 ref = h->long_ref[pic_id];
-ref->pic_id= pic_id;
+if(ref){
-assert(ref->reference == 3);
+ref->pic_id= pic_id;
-assert(ref->long_ref);
+assert(ref->reference == 3);
-i=0;
+assert(ref->long_ref);
+i=0;
+}else{
+i=-1;
+}
 }
 if (i < 0) {
 av_log(h->s.avctx, AV_LOG_ERROR, "reference picture missing during reorder\n");
 memset(&h->ref_list[list][index], 0, sizeof(Picture)); //FIXME
 case MMCO_SHORT2LONG:
 pic= remove_long(h, mmco[i].long_index);
 if(pic) unreference_pic(h, pic);
 h->long_ref[ mmco[i].long_index ]= remove_short(h, mmco[i].short_frame_num);
-h->long_ref[ mmco[i].long_index ]->long_ref=1;
+if (h->long_ref[ mmco[i].long_index ]){
-h->long_ref_count++;
+h->long_ref[ mmco[i].long_index ]->long_ref=1;
+h->long_ref_count++;
+}
 break;
 case MMCO_LONG2UNUSED:
 pic= remove_long(h, mmco[i].long_index);
 if(pic)
 unreference_pic(h, pic);
 }
 break;
 case MMCO_RESET:
 while(h->short_ref_count){
 pic= remove_short(h, h->short_ref[0]->frame_num);
-unreference_pic(h, pic);
+if(pic) unreference_pic(h, pic);
 }
 for(j = 0; j < 16; j++) {
 pic= remove_long(h, j);
 if(pic) unreference_pic(h, pic);
 }
 * decodes a slice header.
 * this will allso call MPV_common_init() and frame_start() as needed
 */
 static int decode_slice_header(H264Context *h){
 MpegEncContext * const s = &h->s;
-int first_mb_in_slice, pps_id;
+int first_mb_in_slice;
+unsigned int pps_id;
 int num_ref_idx_active_override_flag;
 static const uint8_t slice_type_map[5]= {P_TYPE, B_TYPE, I_TYPE, SP_TYPE, SI_TYPE};
 int slice_type;
 int default_ref_list_done = 0;
 h->slice_type= slice_type;
 s->pict_type= h->slice_type; // to make a few old func happy, it's wrong though
 pps_id= get_ue_golomb(&s->gb);
-if(pps_id>255){
+if(pps_id>=MAX_PPS_COUNT){
 av_log(h->s.avctx, AV_LOG_ERROR, "pps_id out of range\n");
 return -1;
 }
 h->pps= h->pps_buffer[pps_id];
 if(h->pps.slice_group_count == 0){
 if(h->sps.log2_max_frame_num == 0){
 av_log(h->s.avctx, AV_LOG_ERROR, "non existing SPS referenced\n");
 return -1;
 }
-if(h->dequant_coeff_pps != pps_id){
+if(h->dequant_coeff_pps != (int)pps_id){
-h->dequant_coeff_pps = pps_id;
+h->dequant_coeff_pps = (int)pps_id;
 init_dequant_tables(h);
 }
 s->mb_width= h->sps.mb_width;
 s->mb_height= h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);
 h->emu_edge_width= (s->flags&CODEC_FLAG_EMU_EDGE) ? 0 : 16;
 h->emu_edge_height= FRAME_MBAFF ? 0 : h->emu_edge_width;
 if(s->avctx->debug&FF_DEBUG_PICT_INFO){
-av_log(h->s.avctx, AV_LOG_DEBUG, "slice:%d %s mb:%d %c pps:%d frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s\n",
+av_log(h->s.avctx, AV_LOG_DEBUG, "slice:%d %s mb:%d %c pps:%u frame:%d poc:%d/%d ref:%d/%d qp:%d loop:%d:%d:%d weight:%d%s\n",
 h->slice_num,
 (s->picture_structure==PICT_FRAME ? "F" : s->picture_structure==PICT_TOP_FIELD ? "T" : "B"),
 first_mb_in_slice,
 av_get_pict_type_char(h->slice_type),
 pps_id, h->frame_num,
 }
 static inline int decode_seq_parameter_set(H264Context *h){
 MpegEncContext * const s = &h->s;
 int profile_idc, level_idc;
-int sps_id, i;
+unsigned int sps_id;
+int i;
 SPS *sps;
 profile_idc= get_bits(&s->gb, 8);
 get_bits1(&s->gb);   //constraint_set0_flag
 get_bits1(&s->gb);   //constraint_set1_flag
 get_bits1(&s->gb);   //constraint_set2_flag
 get_bits1(&s->gb);   //constraint_set3_flag
 get_bits(&s->gb, 4); // reserved
 level_idc= get_bits(&s->gb, 8);
 sps_id= get_ue_golomb(&s->gb);
+if (sps_id >= MAX_SPS_COUNT){
+// ok it has gone out of hand, someone is sending us bad stuff.
+av_log(h->s.avctx, AV_LOG_ERROR, "illegal sps_id (%d)\n", sps_id);
+return -1;
+}
 sps= &h->sps_buffer[ sps_id ];
 sps->profile_idc= profile_idc;
 sps->level_idc= level_idc;
 sps->vui_parameters_present_flag= get_bits1(&s->gb);
 if( sps->vui_parameters_present_flag )
 decode_vui_parameters(h, sps);
 if(s->avctx->debug&FF_DEBUG_PICT_INFO){
-av_log(h->s.avctx, AV_LOG_DEBUG, "sps:%d profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%d/%d/%d/%d %s\n",
+av_log(h->s.avctx, AV_LOG_DEBUG, "sps:%u profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%d/%d/%d/%d %s\n",
 sps_id, sps->profile_idc, sps->level_idc,
 sps->poc_type,
 sps->ref_frame_count,
 sps->mb_width, sps->mb_height,
 sps->frame_mbs_only_flag ? "FRM" : (sps->mb_aff ? "MB-AFF" : "PIC-AFF"),
 return 0;
 }
 static inline int decode_picture_parameter_set(H264Context *h, int bit_length){
 MpegEncContext * const s = &h->s;
-int pps_id= get_ue_golomb(&s->gb);
+unsigned int pps_id= get_ue_golomb(&s->gb);
-PPS *pps= &h->pps_buffer[pps_id];
+PPS *pps;
+if(pps_id>=MAX_PPS_COUNT){
+av_log(h->s.avctx, AV_LOG_ERROR, "pps_id out of range\n");
+return -1;
+}
+pps = &h->pps_buffer[pps_id];
 pps->sps_id= get_ue_golomb(&s->gb);
 pps->cabac= get_bits1(&s->gb);
 pps->pic_order_present= get_bits1(&s->gb);
 pps->slice_group_count= get_ue_golomb(&s->gb) + 1;
 decode_scaling_matrices(h, &h->sps_buffer[pps->sps_id], pps, 0, pps->scaling_matrix4, pps->scaling_matrix8);
 get_se_golomb(&s->gb);  //second_chroma_qp_index_offset
 }
 if(s->avctx->debug&FF_DEBUG_PICT_INFO){
-av_log(h->s.avctx, AV_LOG_DEBUG, "pps:%d sps:%d %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d %s %s %s %s\n",
+av_log(h->s.avctx, AV_LOG_DEBUG, "pps:%u sps:%u %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d %s %s %s %s\n",
 pps_id, pps->sps_id,
 pps->cabac ? "CABAC" : "CAVLC",
 pps->slice_group_count,
 pps->ref_count[0], pps->ref_count[1],
 pps->weighted_pred ? "weighted" : "",
 if(h->is_avc) {
 if(buf_index >= buf_size) break;
 nalsize = 0;
 for(i = 0; i < h->nal_length_size; i++)
 nalsize = (nalsize << 8) | buf[buf_index++];
-if(nalsize <= 1){
+if(nalsize <= 1 || nalsize > buf_size){
 if(nalsize == 1){
 buf_index++;
 continue;
 }else{
 av_log(h->s.avctx, AV_LOG_ERROR, "AVC: nal size %d\n", nalsize);
 buf_index+=3;
 }
 ptr= decode_nal(h, buf + buf_index, &dst_length, &consumed, h->is_avc ? nalsize : buf_size - buf_index);
+if (ptr==NULL || dst_length <= 0){
+return -1;
+}
 while(ptr[dst_length - 1] == 0 && dst_length > 1)
 dst_length--;
 bit_length= 8*dst_length - decode_rbsp_trailing(ptr + dst_length - 1);
 if(s->avctx->debug&FF_DEBUG_STARTCODE){

Mercurial > libavcodec.hg

comparison h264.c @ 4362:0271b214458b libavcodec