Mercurial > libavformat.hg
annotate rtp_h264.c @ 4258:35c8abd32d93 libavformat
Fix a read past end of buffer crash in the mp3 probe
author | alexc |
---|---|
date | Tue, 20 Jan 2009 08:00:39 +0000 |
parents | 77e0c7511d41 |
children | f49e5d92ab26 |
rev | line source |
---|---|
1460 | 1 /* |
2 * RTP H264 Protocol (RFC3984) | |
4251
77e0c7511d41
cosmetics: Remove pointless period after copyright statement non-sentences.
diego
parents:
4067
diff
changeset
|
3 * Copyright (c) 2006 Ryan Martell |
1460 | 4 * |
5 * This file is part of FFmpeg. | |
6 * | |
7 * FFmpeg is free software; you can redistribute it and/or | |
8 * modify it under the terms of the GNU Lesser General Public | |
9 * License as published by the Free Software Foundation; either | |
10 * version 2.1 of the License, or (at your option) any later version. | |
11 * | |
12 * FFmpeg is distributed in the hope that it will be useful, | |
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 * Lesser General Public License for more details. | |
16 * | |
17 * You should have received a copy of the GNU Lesser General Public | |
18 * License along with FFmpeg; if not, write to the Free Software | |
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
20 */ | |
21 | |
22 /** | |
23 * @file rtp_h264.c | |
24 * @brief H.264 / RTP Code (RFC3984) | |
25 * @author Ryan Martell <rdm4@martellventures.com> | |
26 * | |
27 * @note Notes: | |
28 * Notes: | |
29 * This currently supports packetization mode: | |
30 * Single Nal Unit Mode (0), or | |
31 * Non-Interleaved Mode (1). It currently does not support | |
32 * Interleaved Mode (2). (This requires implementing STAP-B, MTAP16, MTAP24, FU-B packet types) | |
33 * | |
34 * @note TODO: | |
35 * 1) RTCP sender reports for udp streams are required.. | |
36 * | |
37 */ | |
38 | |
3286 | 39 #include "libavutil/base64.h" |
40 #include "libavutil/avstring.h" | |
41 #include "libavcodec/bitstream.h" | |
1460 | 42 #include "avformat.h" |
43 #include "mpegts.h" | |
44 | |
45 #include <unistd.h> | |
1754 | 46 #include "network.h" |
1460 | 47 #include <assert.h> |
48 | |
49 #include "rtp_internal.h" | |
50 #include "rtp_h264.h" | |
51 | |
52 /** | |
53 RTP/H264 specific private data. | |
54 */ | |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
55 struct PayloadContext { |
1460 | 56 unsigned long cookie; ///< sanity check, to make sure we get the pointer we're expecting. |
57 | |
58 //sdp setup parameters | |
59 uint8_t profile_idc; ///< from the sdp setup parameters. | |
60 uint8_t profile_iop; ///< from the sdp setup parameters. | |
61 uint8_t level_idc; ///< from the sdp setup parameters. | |
62 int packetization_mode; ///< from the sdp setup parameters. | |
63 #ifdef DEBUG | |
64 int packet_types_received[32]; | |
65 #endif | |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
66 }; |
1460 | 67 |
68 #define MAGIC_COOKIE (0xdeadbeef) ///< Cookie for the extradata; to verify we are what we think we are, and that we haven't been freed. | |
69 #define DEAD_COOKIE (0xdeaddead) ///< Cookie for the extradata; once it is freed. | |
70 | |
71 /* ---------------- private code */ | |
72 static void sdp_parse_fmtp_config_h264(AVStream * stream, | |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
73 PayloadContext * h264_data, |
1460 | 74 char *attr, char *value) |
75 { | |
76 AVCodecContext *codec = stream->codec; | |
77 assert(codec->codec_id == CODEC_ID_H264); | |
78 assert(h264_data != NULL); | |
79 | |
80 if (!strcmp(attr, "packetization-mode")) { | |
2362 | 81 av_log(NULL, AV_LOG_DEBUG, "H.264/RTP Packetization Mode: %d\n", atoi(value)); |
82 h264_data->packetization_mode = atoi(value); | |
1460 | 83 /* |
84 Packetization Mode: | |
85 0 or not present: Single NAL mode (Only nals from 1-23 are allowed) | |
86 1: Non-interleaved Mode: 1-23, 24 (STAP-A), 28 (FU-A) are allowed. | |
87 2: Interleaved Mode: 25 (STAP-B), 26 (MTAP16), 27 (MTAP24), 28 (FU-A), and 29 (FU-B) are allowed. | |
88 */ | |
89 if (h264_data->packetization_mode > 1) | |
90 av_log(stream, AV_LOG_ERROR, | |
91 "H.264/RTP Interleaved RTP mode is not supported yet."); | |
92 } else if (!strcmp(attr, "profile-level-id")) { | |
93 if (strlen(value) == 6) { | |
94 char buffer[3]; | |
95 // 6 characters=3 bytes, in hex. | |
96 uint8_t profile_idc; | |
97 uint8_t profile_iop; | |
98 uint8_t level_idc; | |
99 | |
100 buffer[0] = value[0]; buffer[1] = value[1]; buffer[2] = '\0'; | |
101 profile_idc = strtol(buffer, NULL, 16); | |
102 buffer[0] = value[2]; buffer[1] = value[3]; | |
103 profile_iop = strtol(buffer, NULL, 16); | |
104 buffer[0] = value[4]; buffer[1] = value[5]; | |
105 level_idc = strtol(buffer, NULL, 16); | |
106 | |
107 // set the parameters... | |
108 av_log(NULL, AV_LOG_DEBUG, | |
109 "H.264/RTP Profile IDC: %x Profile IOP: %x Level: %x\n", | |
110 profile_idc, profile_iop, level_idc); | |
111 h264_data->profile_idc = profile_idc; | |
112 h264_data->profile_iop = profile_iop; | |
113 h264_data->level_idc = level_idc; | |
114 } | |
115 } else if (!strcmp(attr, "sprop-parameter-sets")) { | |
116 uint8_t start_sequence[]= { 0, 0, 1 }; | |
117 codec->extradata_size= 0; | |
118 codec->extradata= NULL; | |
119 | |
120 while (*value) { | |
121 char base64packet[1024]; | |
122 uint8_t decoded_packet[1024]; | |
123 uint32_t packet_size; | |
124 char *dst = base64packet; | |
125 | |
126 while (*value && *value != ',' | |
127 && (dst - base64packet) < sizeof(base64packet) - 1) { | |
128 *dst++ = *value++; | |
129 } | |
130 *dst++ = '\0'; | |
131 | |
132 if (*value == ',') | |
133 value++; | |
134 | |
135 packet_size= av_base64_decode(decoded_packet, base64packet, sizeof(decoded_packet)); | |
136 if (packet_size) { | |
137 uint8_t *dest= av_malloc(packet_size+sizeof(start_sequence)+codec->extradata_size); | |
138 if(dest) | |
139 { | |
140 if(codec->extradata_size) | |
141 { | |
142 // av_realloc? | |
143 memcpy(dest, codec->extradata, codec->extradata_size); | |
144 av_free(codec->extradata); | |
145 } | |
146 | |
147 memcpy(dest+codec->extradata_size, start_sequence, sizeof(start_sequence)); | |
148 memcpy(dest+codec->extradata_size+sizeof(start_sequence), decoded_packet, packet_size); | |
149 | |
150 codec->extradata= dest; | |
151 codec->extradata_size+= sizeof(start_sequence)+packet_size; | |
152 } else { | |
153 av_log(NULL, AV_LOG_ERROR, "H.264/RTP Unable to allocate memory for extradata!"); | |
154 } | |
155 } | |
156 } | |
157 av_log(NULL, AV_LOG_DEBUG, "H.264/RTP Extradata set to %p (size: %d)!", codec->extradata, codec->extradata_size); | |
158 } | |
159 } | |
160 | |
161 // return 0 on packet, no more left, 1 on packet, 1 on partial packet... | |
3976
64056a0c38ce
Change function prototype of RTPDynamicPayloadHandler.parse_packet() to
rbultje
parents:
3975
diff
changeset
|
162 static int h264_handle_packet(PayloadContext *data, |
64056a0c38ce
Change function prototype of RTPDynamicPayloadHandler.parse_packet() to
rbultje
parents:
3975
diff
changeset
|
163 AVStream *st, |
1460 | 164 AVPacket * pkt, |
165 uint32_t * timestamp, | |
166 const uint8_t * buf, | |
2941
6da0564c9d02
Add a flags field to the RTPDynamicPayloadPacketHandlerProc (PKT_FLAG_*).
rbultje
parents:
2702
diff
changeset
|
167 int len, int flags) |
1460 | 168 { |
169 uint8_t nal = buf[0]; | |
170 uint8_t type = (nal & 0x1f); | |
171 int result= 0; | |
172 uint8_t start_sequence[]= {0, 0, 1}; | |
173 | |
3292 | 174 #ifdef DEBUG |
1460 | 175 assert(data); |
176 assert(data->cookie == MAGIC_COOKIE); | |
3292 | 177 #endif |
1460 | 178 assert(buf); |
179 | |
180 if (type >= 1 && type <= 23) | |
181 type = 1; // simplify the case. (these are all the nal types used internally by the h264 codec) | |
182 switch (type) { | |
183 case 0: // undefined; | |
184 result= -1; | |
185 break; | |
186 | |
187 case 1: | |
188 av_new_packet(pkt, len+sizeof(start_sequence)); | |
189 memcpy(pkt->data, start_sequence, sizeof(start_sequence)); | |
190 memcpy(pkt->data+sizeof(start_sequence), buf, len); | |
191 #ifdef DEBUG | |
192 data->packet_types_received[nal & 0x1f]++; | |
193 #endif | |
194 break; | |
195 | |
196 case 24: // STAP-A (one packet, multiple nals) | |
197 // consume the STAP-A NAL | |
198 buf++; | |
199 len--; | |
200 // first we are going to figure out the total size.... | |
201 { | |
202 int pass= 0; | |
203 int total_length= 0; | |
204 uint8_t *dst= NULL; | |
205 | |
206 for(pass= 0; pass<2; pass++) { | |
207 const uint8_t *src= buf; | |
208 int src_len= len; | |
209 | |
210 do { | |
1673 | 211 uint16_t nal_size = AV_RB16(src); // this going to be a problem if unaligned (can it be?) |
1460 | 212 |
213 // consume the length of the aggregate... | |
214 src += 2; | |
215 src_len -= 2; | |
216 | |
217 if (nal_size <= src_len) { | |
218 if(pass==0) { | |
219 // counting... | |
220 total_length+= sizeof(start_sequence)+nal_size; | |
221 } else { | |
222 // copying | |
223 assert(dst); | |
224 memcpy(dst, start_sequence, sizeof(start_sequence)); | |
225 dst+= sizeof(start_sequence); | |
226 memcpy(dst, src, nal_size); | |
227 #ifdef DEBUG | |
228 data->packet_types_received[*src & 0x1f]++; | |
229 #endif | |
230 dst+= nal_size; | |
231 } | |
232 } else { | |
233 av_log(NULL, AV_LOG_ERROR, | |
234 "nal size exceeds length: %d %d\n", nal_size, src_len); | |
235 } | |
236 | |
237 // eat what we handled... | |
238 src += nal_size; | |
239 src_len -= nal_size; | |
240 | |
241 if (src_len < 0) | |
242 av_log(NULL, AV_LOG_ERROR, | |
243 "Consumed more bytes than we got! (%d)\n", src_len); | |
244 } while (src_len > 2); // because there could be rtp padding.. | |
245 | |
246 if(pass==0) { | |
247 // now we know the total size of the packet (with the start sequences added) | |
248 av_new_packet(pkt, total_length); | |
249 dst= pkt->data; | |
250 } else { | |
251 assert(dst-pkt->data==total_length); | |
252 } | |
253 } | |
254 } | |
255 break; | |
256 | |
257 case 25: // STAP-B | |
258 case 26: // MTAP-16 | |
259 case 27: // MTAP-24 | |
260 case 29: // FU-B | |
261 av_log(NULL, AV_LOG_ERROR, | |
262 "Unhandled type (%d) (See RFC for implementation details\n", | |
263 type); | |
264 result= -1; | |
265 break; | |
266 | |
267 case 28: // FU-A (fragmented nal) | |
268 buf++; | |
269 len--; // skip the fu_indicator | |
270 { | |
271 // these are the same as above, we just redo them here for clarity... | |
272 uint8_t fu_indicator = nal; | |
273 uint8_t fu_header = *buf; // read the fu_header. | |
2154
b849507913da
Remove the unnecessary masking when extracting the start bit in the H.264 RTP
takis
parents:
1983
diff
changeset
|
274 uint8_t start_bit = fu_header >> 7; |
1460 | 275 // uint8_t end_bit = (fu_header & 0x40) >> 6; |
276 uint8_t nal_type = (fu_header & 0x1f); | |
277 uint8_t reconstructed_nal; | |
278 | |
279 // reconstruct this packet's true nal; only the data follows.. | |
280 reconstructed_nal = fu_indicator & (0xe0); // the original nal forbidden bit and NRI are stored in this packet's nal; | |
2155
a661d4e7cab2
Remove the unnecessary masking when reconstructing the NAL unit header in the
takis
parents:
2154
diff
changeset
|
281 reconstructed_nal |= nal_type; |
1460 | 282 |
283 // skip the fu_header... | |
284 buf++; | |
285 len--; | |
286 | |
287 #ifdef DEBUG | |
288 if (start_bit) | |
2156
cfd57cd5252b
Remove the unnecessary masking when counting received packet types in the H.264
takis
parents:
2155
diff
changeset
|
289 data->packet_types_received[nal_type]++; |
1460 | 290 #endif |
291 if(start_bit) { | |
292 // copy in the start sequence, and the reconstructed nal.... | |
293 av_new_packet(pkt, sizeof(start_sequence)+sizeof(nal)+len); | |
294 memcpy(pkt->data, start_sequence, sizeof(start_sequence)); | |
295 pkt->data[sizeof(start_sequence)]= reconstructed_nal; | |
296 memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len); | |
297 } else { | |
298 av_new_packet(pkt, len); | |
299 memcpy(pkt->data, buf, len); | |
300 } | |
301 } | |
302 break; | |
303 | |
304 case 30: // undefined | |
305 case 31: // undefined | |
306 default: | |
307 av_log(NULL, AV_LOG_ERROR, "Undefined type (%d)", type); | |
308 result= -1; | |
309 break; | |
310 } | |
311 | |
312 return result; | |
313 } | |
314 | |
315 /* ---------------- public code */ | |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
316 static PayloadContext *h264_new_extradata(void) |
1460 | 317 { |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
318 PayloadContext *data = |
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
319 av_mallocz(sizeof(PayloadContext) + |
1460 | 320 FF_INPUT_BUFFER_PADDING_SIZE); |
321 | |
322 if (data) { | |
323 data->cookie = MAGIC_COOKIE; | |
324 } | |
325 | |
326 return data; | |
327 } | |
328 | |
3975
44561554cb7e
Rename RTP payload contexts to PayloadContext, suggested by Luca in
rbultje
parents:
3292
diff
changeset
|
329 static void h264_free_extradata(PayloadContext *data) |
1460 | 330 { |
331 #ifdef DEBUG | |
332 int ii; | |
333 | |
334 for (ii = 0; ii < 32; ii++) { | |
335 if (data->packet_types_received[ii]) | |
336 av_log(NULL, AV_LOG_DEBUG, "Received %d packets of type %d\n", | |
337 data->packet_types_received[ii], ii); | |
338 } | |
339 #endif | |
340 | |
341 assert(data); | |
342 assert(data->cookie == MAGIC_COOKIE); | |
343 | |
344 // avoid stale pointers (assert) | |
345 data->cookie = DEAD_COOKIE; | |
346 | |
347 // and clear out this... | |
348 av_free(data); | |
349 } | |
350 | |
4067
8adccfc01be3
Change function prototype of the sdp_parse_a_line in DynamicProtocolHandler.
rbultje
parents:
3976
diff
changeset
|
351 static int parse_h264_sdp_line(AVFormatContext *s, int st_index, |
8adccfc01be3
Change function prototype of the sdp_parse_a_line in DynamicProtocolHandler.
rbultje
parents:
3976
diff
changeset
|
352 PayloadContext *h264_data, const char *line) |
1460 | 353 { |
4067
8adccfc01be3
Change function prototype of the sdp_parse_a_line in DynamicProtocolHandler.
rbultje
parents:
3976
diff
changeset
|
354 AVStream *stream = s->streams[st_index]; |
1460 | 355 AVCodecContext *codec = stream->codec; |
356 const char *p = line; | |
357 | |
358 assert(h264_data->cookie == MAGIC_COOKIE); | |
359 | |
2193
5ce5fad0dfac
replace the uses of old string functions that Reimar missed
mru
parents:
2156
diff
changeset
|
360 if (av_strstart(p, "framesize:", &p)) { |
1460 | 361 char buf1[50]; |
362 char *dst = buf1; | |
363 | |
364 // remove the protocol identifier.. | |
365 while (*p && *p == ' ') p++; // strip spaces. | |
366 while (*p && *p != ' ') p++; // eat protocol identifier | |
367 while (*p && *p == ' ') p++; // strip trailing spaces. | |
368 while (*p && *p != '-' && (buf1 - dst) < sizeof(buf1) - 1) { | |
369 *dst++ = *p++; | |
370 } | |
371 *dst = '\0'; | |
372 | |
373 // a='framesize:96 320-240' | |
374 // set our parameters.. | |
375 codec->width = atoi(buf1); | |
376 codec->height = atoi(p + 1); // skip the - | |
377 codec->pix_fmt = PIX_FMT_YUV420P; | |
2193
5ce5fad0dfac
replace the uses of old string functions that Reimar missed
mru
parents:
2156
diff
changeset
|
378 } else if (av_strstart(p, "fmtp:", &p)) { |
1460 | 379 char attr[256]; |
380 char value[4096]; | |
381 | |
382 // remove the protocol identifier.. | |
383 while (*p && *p == ' ') p++; // strip spaces. | |
384 while (*p && *p != ' ') p++; // eat protocol identifier | |
385 while (*p && *p == ' ') p++; // strip trailing spaces. | |
386 | |
387 /* loop on each attribute */ | |
388 while (rtsp_next_attr_and_value | |
389 (&p, attr, sizeof(attr), value, sizeof(value))) { | |
390 /* grab the codec extra_data from the config parameter of the fmtp line */ | |
391 sdp_parse_fmtp_config_h264(stream, h264_data, attr, value); | |
392 } | |
2193
5ce5fad0dfac
replace the uses of old string functions that Reimar missed
mru
parents:
2156
diff
changeset
|
393 } else if (av_strstart(p, "cliprect:", &p)) { |
1460 | 394 // could use this if we wanted. |
395 } | |
396 | |
397 av_set_pts_info(stream, 33, 1, 90000); // 33 should be right, because the pts is 64 bit? (done elsewhere; this is a one time thing) | |
398 | |
399 return 0; // keep processing it the normal way... | |
400 } | |
401 | |
402 /** | |
403 This is the structure for expanding on the dynamic rtp protocols (makes everything static. yay!) | |
404 */ | |
405 RTPDynamicProtocolHandler ff_h264_dynamic_handler = { | |
406 "H264", | |
407 CODEC_TYPE_VIDEO, | |
408 CODEC_ID_H264, | |
409 parse_h264_sdp_line, | |
410 h264_new_extradata, | |
411 h264_free_extradata, | |
412 h264_handle_packet | |
413 }; |