FFmpeg/libavcodec/av1_parse.h
Michael Niedermayer c27c7b49dc avcodec/av1_parse: Check obu_size
Fixes: out of array read
Fixes: SIGSEGV_get_obu_bit_length_av1_parse

Found-by: keval shah <skeval65@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-10-15 01:19:45 +02:00

175 lines
4.4 KiB
C

/*
* AV1 common parsing code
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef AVCODEC_AV1_PARSE_H
#define AVCODEC_AV1_PARSE_H
#include <stdint.h>
#include "av1.h"
#include "avcodec.h"
#include "get_bits.h"
typedef struct AV1OBU {
/** Size of payload */
int size;
const uint8_t *data;
/**
* Size, in bits, of just the data, excluding the trailing_one_bit and
* any trailing padding.
*/
int size_bits;
/** Size of entire OBU, including header */
int raw_size;
const uint8_t *raw_data;
/** GetBitContext initialized to the start of the payload */
GetBitContext gb;
int type;
int temporal_id;
int spatial_id;
} AV1OBU;
/** An input packet split into OBUs */
typedef struct AV1Packet {
AV1OBU *obus;
int nb_obus;
int obus_allocated;
} AV1Packet;
/**
* Extract an OBU from a raw bitstream.
*
* @note This function does not copy or store any bitstream data. All
* the pointers in the AV1OBU structure will be valid as long
* as the input buffer also is.
*/
int ff_av1_extract_obu(AV1OBU *obu, const uint8_t *buf, int length,
void *logctx);
/**
* Split an input packet into OBUs.
*
* @note This function does not copy or store any bitstream data. All
* the pointers in the AV1Packet structure will be valid as
* long as the input buffer also is.
*/
int ff_av1_packet_split(AV1Packet *pkt, const uint8_t *buf, int length,
void *logctx);
/**
* Free all the allocated memory in the packet.
*/
void ff_av1_packet_uninit(AV1Packet *pkt);
static inline int64_t leb128(GetBitContext *gb) {
int64_t ret = 0;
int i;
for (i = 0; i < 8; i++) {
int byte = get_bits(gb, 8);
ret |= (int64_t)(byte & 0x7f) << (i * 7);
if (!(byte & 0x80))
break;
}
return ret;
}
static inline int parse_obu_header(const uint8_t *buf, int buf_size,
int64_t *obu_size, int *start_pos, int *type,
int *temporal_id, int *spatial_id)
{
GetBitContext gb;
int ret, extension_flag, has_size_flag;
int64_t size;
ret = init_get_bits8(&gb, buf, FFMIN(buf_size, 2 + 8)); // OBU header fields + max leb128 length
if (ret < 0)
return ret;
if (get_bits1(&gb) != 0) // obu_forbidden_bit
return AVERROR_INVALIDDATA;
*type = get_bits(&gb, 4);
extension_flag = get_bits1(&gb);
has_size_flag = get_bits1(&gb);
skip_bits1(&gb); // obu_reserved_1bit
if (extension_flag) {
*temporal_id = get_bits(&gb, 3);
*spatial_id = get_bits(&gb, 2);
skip_bits(&gb, 3); // extension_header_reserved_3bits
} else {
*temporal_id = *spatial_id = 0;
}
*obu_size = has_size_flag ? leb128(&gb)
: buf_size - 1 - extension_flag;
if (get_bits_left(&gb) < 0)
return AVERROR_INVALIDDATA;
*start_pos = get_bits_count(&gb) / 8;
size = *obu_size + *start_pos;
if (size > buf_size)
return AVERROR_INVALIDDATA;
return size;
}
static inline int get_obu_bit_length(const uint8_t *buf, int size, int type)
{
int v;
/* There are no trailing bits on these */
if (type == AV1_OBU_TILE_GROUP || type == AV1_OBU_FRAME) {
if (size > INT_MAX / 8)
return AVERROR(ERANGE);
else
return size * 8;
}
while (size > 0 && buf[size - 1] == 0)
size--;
if (!size)
return 0;
v = buf[size - 1];
if (size > INT_MAX / 8)
return AVERROR(ERANGE);
size *= 8;
/* Remove the trailing_one_bit and following trailing zeros */
if (v)
size -= ff_ctz(v) + 1;
return size;
}
#endif /* AVCODEC_AV1_PARSE_H */