diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7311e6a54a..5a9ab6a084 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2554,7 +2554,7 @@ void ff_h264_hl_decode_mb(H264Context *h) hl_decode_mb_simple_8(h); } -static int pred_weight_table(H264Context *h) +int ff_pred_weight_table(H264Context *h) { int list, i; int luma_def, chroma_def; @@ -3198,6 +3198,50 @@ static int h264_slice_header_init(H264Context *h, int reinit) return 0; } +int ff_set_ref_count(H264Context *h) +{ + int num_ref_idx_active_override_flag, max_refs; + + // set defaults, might be overridden a few lines later + h->ref_count[0] = h->pps.ref_count[0]; + h->ref_count[1] = h->pps.ref_count[1]; + + if (h->slice_type_nos != AV_PICTURE_TYPE_I) { + if (h->slice_type_nos == AV_PICTURE_TYPE_B) + h->direct_spatial_mv_pred = get_bits1(&h->gb); + num_ref_idx_active_override_flag = get_bits1(&h->gb); + + if (num_ref_idx_active_override_flag) { + h->ref_count[0] = get_ue_golomb(&h->gb) + 1; + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { + h->ref_count[1] = get_ue_golomb(&h->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } + } + + if (h->slice_type_nos == AV_PICTURE_TYPE_B) + h->list_count = 2; + else + h->list_count = 1; + } else { + h->list_count = 0; + h->ref_count[0] = h->ref_count[1] = 0; + } + + max_refs = h->picture_structure == PICT_FRAME ? 16 : 32; + + if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { + av_log(h->avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0] = h->ref_count[1] = 0; + return AVERROR_INVALIDDATA; + } + + return 0; +} + /** * Decode a slice header. * This will also call ff_MPV_common_init() and frame_start() as needed. @@ -3212,7 +3256,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) { unsigned int first_mb_in_slice; unsigned int pps_id; - int num_ref_idx_active_override_flag, max_refs, ret; + int ret; unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; int last_pic_structure, last_pic_droppable; @@ -3619,42 +3663,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (h->pps.redundant_pic_cnt_present) h->redundant_pic_count = get_ue_golomb(&h->gb); - // set defaults, might be overridden a few lines later - h->ref_count[0] = h->pps.ref_count[0]; - h->ref_count[1] = h->pps.ref_count[1]; - - if (h->slice_type_nos != AV_PICTURE_TYPE_I) { - if (h->slice_type_nos == AV_PICTURE_TYPE_B) - h->direct_spatial_mv_pred = get_bits1(&h->gb); - num_ref_idx_active_override_flag = get_bits1(&h->gb); - - if (num_ref_idx_active_override_flag) { - h->ref_count[0] = get_ue_golomb(&h->gb) + 1; - if (h->ref_count[0] < 1) - return AVERROR_INVALIDDATA; - if (h->slice_type_nos == AV_PICTURE_TYPE_B) { - h->ref_count[1] = get_ue_golomb(&h->gb) + 1; - if (h->ref_count[1] < 1) - return AVERROR_INVALIDDATA; - } - } - - if (h->slice_type_nos == AV_PICTURE_TYPE_B) - h->list_count = 2; - else - h->list_count = 1; - } else { - h->list_count = 0; - h->ref_count[0] = h->ref_count[1] = 0; - } - - max_refs = h->picture_structure == PICT_FRAME ? 16 : 32; - - if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { - av_log(h->avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0] = h->ref_count[1] = 0; - return AVERROR_INVALIDDATA; - } + ret = ff_set_ref_count(h); + if (ret < 0) + return ret; if (!default_ref_list_done) ff_h264_fill_default_ref_list(h); @@ -3670,7 +3681,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if ((h->pps.weighted_pred && h->slice_type_nos == AV_PICTURE_TYPE_P) || (h->pps.weighted_bipred_idc == 1 && h->slice_type_nos == AV_PICTURE_TYPE_B)) - pred_weight_table(h); + ff_pred_weight_table(h); else if (h->pps.weighted_bipred_idc == 2 && h->slice_type_nos == AV_PICTURE_TYPE_B) { implicit_weight_table(h, -1); diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 3ef8420ef6..2fead60244 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -950,5 +950,7 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) void ff_h264_draw_horiz_band(H264Context *h, int y, int height); int ff_init_poc(H264Context *h, int pic_field_poc[2], int *pic_poc); +int ff_pred_weight_table(H264Context *h); +int ff_set_ref_count(H264Context *h); #endif /* AVCODEC_H264_H */ diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 75e09f400d..e6e27042fd 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -87,6 +87,75 @@ found: return i - (state & 5); } +static int scan_mmco_reset(AVCodecParserContext *s) +{ + H264Context *h = s->priv_data; + + h->slice_type_nos = s->pict_type & 3; + + if (h->pps.redundant_pic_cnt_present) + get_ue_golomb(&h->gb); // redundant_pic_count + + if (ff_set_ref_count(h) < 0) + return AVERROR_INVALIDDATA; + + if (h->slice_type_nos != AV_PICTURE_TYPE_I) { + int list; + for (list = 0; list < h->list_count; list++) { + if (get_bits1(&h->gb)) { + int index; + for (index = 0; ; index++) { + unsigned int reordering_of_pic_nums_idc = get_ue_golomb_31(&h->gb); + + if (reordering_of_pic_nums_idc < 3) + get_ue_golomb(&h->gb); + else if (reordering_of_pic_nums_idc > 3) { + av_log(h->avctx, AV_LOG_ERROR, + "illegal reordering_of_pic_nums_idc %d\n", + reordering_of_pic_nums_idc); + return AVERROR_INVALIDDATA; + } else + break; + + if (index >= h->ref_count[list]) { + av_log(h->avctx, AV_LOG_ERROR, "reference count overflow\n"); + return AVERROR_INVALIDDATA; + } + } + } + } + } + + if ((h->pps.weighted_pred && h->slice_type_nos == AV_PICTURE_TYPE_P) || + (h->pps.weighted_bipred_idc == 1 && h->slice_type_nos == AV_PICTURE_TYPE_B)) + ff_pred_weight_table(h); + + if (get_bits1(&h->gb)) { // adaptive_ref_pic_marking_mode_flag + int i; + for (i = 0; i < MAX_MMCO_COUNT; i++) { + MMCOOpcode opcode = get_ue_golomb_31(&h->gb); + if (opcode > (unsigned) MMCO_LONG) { + av_log(h->avctx, AV_LOG_ERROR, + "illegal memory management control operation %d\n", + opcode); + return AVERROR_INVALIDDATA; + } + if (opcode == MMCO_END) + return 0; + else if (opcode == MMCO_RESET) + return 1; + + if (opcode == MMCO_SHORT2UNUSED || opcode == MMCO_SHORT2LONG) + get_ue_golomb(&h->gb); + if (opcode == MMCO_SHORT2LONG || opcode == MMCO_LONG2UNUSED || + opcode == MMCO_LONG || opcode == MMCO_SET_MAX_LONG) + get_ue_golomb_31(&h->gb); + } + } + + return 0; +} + /** * Parse NAL units of found picture and decode some basic information. * @@ -103,7 +172,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, const uint8_t *buf_end = buf + buf_size; unsigned int pps_id; unsigned int slice_type; - int state = -1; + int state = -1, got_reset = 0; const uint8_t *ptr; int field_poc[2]; @@ -132,8 +201,16 @@ static inline int parse_nal_units(AVCodecParserContext *s, case NAL_SLICE: case NAL_IDR_SLICE: // Do not walk the whole buffer just to decode slice header - if (src_length > 60) - src_length = 60; + if (state & 0x1f == NAL_IDR_SLICE || (state >> 5) & 0x3 == 0) { + /* IDR or disposable slice + * No need to decode many bytes because MMCOs shall not be present. */ + if (src_length > 60) + src_length = 60; + } else { + /* To decode up to MMCOs */ + if (src_length > 1000) + src_length = 1000; + } break; } ptr = ff_h264_decode_nal(h, buf, &dst_length, &consumed, src_length); @@ -219,16 +296,33 @@ static inline int parse_nal_units(AVCodecParserContext *s, h->delta_poc[1] = get_se_golomb(&h->gb); } - /* Decode POC of this picture. */ + /* Decode POC of this picture. + * The prev_ values needed for decoding POC of the next picture are not set here. */ field_poc[0] = field_poc[1] = INT_MAX; ff_init_poc(h, field_poc, &s->output_picture_number); + /* Continue parsing to check if MMCO_RESET is present. + * FIXME: MMCO_RESET could appear in non-first slice. + * Maybe, we should parse all undisposable non-IDR slice of this + * picture until encountering MMCO_RESET in a slice of it. */ + if (h->nal_ref_idc && h->nal_unit_type != NAL_IDR_SLICE) { + got_reset = scan_mmco_reset(s); + if (got_reset < 0) + return got_reset; + } + /* Set up the prev_ values for decoding POC of the next picture. */ - h->prev_frame_num = h->frame_num; - h->prev_frame_num_offset = h->frame_num_offset; + h->prev_frame_num = got_reset ? 0 : h->frame_num; + h->prev_frame_num_offset = got_reset ? 0 : h->frame_num_offset; if (h->nal_ref_idc != 0) { - h->prev_poc_msb = h->poc_msb; - h->prev_poc_lsb = h->poc_lsb; + if (!got_reset) { + h->prev_poc_msb = h->poc_msb; + h->prev_poc_lsb = h->poc_lsb; + } else { + h->prev_poc_msb = 0; + h->prev_poc_lsb = + h->picture_structure == PICT_BOTTOM_FIELD ? 0 : field_poc[0]; + } } if (h->sps.pic_struct_present_flag) {