[FFmpeg-devel] [PATCH] avcodec/cfhd: check that lowpass_height is >= 3 when used in vertical filter
Paul B Mahol
onemda at gmail.com
Tue Sep 22 21:50:57 EEST 2020
Also check for out of buffer access.
Also return early when encountering fatal error.
Signed-off-by: Paul B Mahol <onemda at gmail.com>
---
libavcodec/cfhd.c | 89 +++++++++++++++++++++++++++++------------------
1 file changed, 56 insertions(+), 33 deletions(-)
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index ea35f03869..a2b9c7c76a 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -100,6 +100,8 @@ static void init_frame_defaults(CFHDContext *s)
s->difference_coding = 0;
s->frame_type = 0;
s->sample_type = 0;
+ if (s->transform_type != 2)
+ s->transform_type = -1;
init_plane_defaults(s);
init_peak_table_defaults(s);
}
@@ -415,14 +417,14 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data > 4) {
av_log(avctx, AV_LOG_ERROR, "Channel Count of %"PRIu16" is unsupported\n", data);
ret = AVERROR_PATCHWELCOME;
- break;
+ goto end;
}
} else if (tag == SubbandCount) {
av_log(avctx, AV_LOG_DEBUG, "Subband Count: %"PRIu16"\n", data);
if (data != SUBBAND_COUNT && data != SUBBAND_COUNT_3D) {
av_log(avctx, AV_LOG_ERROR, "Subband Count of %"PRIu16" is unsupported\n", data);
ret = AVERROR_PATCHWELCOME;
- break;
+ goto end;
}
} else if (tag == ChannelNumber) {
s->channel_num = data;
@@ -430,7 +432,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (s->channel_num >= s->planes) {
av_log(avctx, AV_LOG_ERROR, "Invalid channel number\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
init_plane_defaults(s);
} else if (tag == SubbandNumber) {
@@ -442,22 +444,25 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
(s->transform_type == 2 && s->level >= DWT_LEVELS_3D)) {
av_log(avctx, AV_LOG_ERROR, "Invalid level\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
if (s->subband_num > 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid subband number\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
} else if (tag == SubbandBand) {
av_log(avctx, AV_LOG_DEBUG, "Subband number actual %"PRIu16"\n", data);
- s->subband_num_actual = data;
- if ((s->transform_type == 0 && s->subband_num_actual >= SUBBAND_COUNT) ||
- (s->transform_type == 2 && s->subband_num_actual >= SUBBAND_COUNT_3D && s->subband_num_actual != 255)) {
+ if ((s->transform_type == 0 && data >= SUBBAND_COUNT) ||
+ (s->transform_type == 2 && data >= SUBBAND_COUNT_3D && data != 255)) {
av_log(avctx, AV_LOG_ERROR, "Invalid subband number actual\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
+ if (s->transform_type == 0 || s->transform_type == 2)
+ s->subband_num_actual = data;
+ else
+ av_log(avctx, AV_LOG_WARNING, "Ignoring subband num actual %"PRIu16"\n", data);
} else if (tag == LowpassPrecision)
av_log(avctx, AV_LOG_DEBUG, "Lowpass precision bits: %"PRIu16"\n", data);
else if (tag == Quantization) {
@@ -471,7 +476,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (!data || data > 5) {
av_log(avctx, AV_LOG_ERROR, "Invalid band encoding\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
s->band_encoding = data;
av_log(avctx, AV_LOG_DEBUG, "Encode Method for Subband %d : %x\n", s->subband_num_actual, data);
@@ -489,14 +494,18 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data > 2) {
av_log(avctx, AV_LOG_ERROR, "Invalid transform type\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
} else if (data == 1) {
av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n");
ret = AVERROR_PATCHWELCOME;
- break;
+ goto end;
+ }
+ if (s->transform_type == -1) {
+ s->transform_type = data;
+ av_log(avctx, AV_LOG_DEBUG, "Transform type %"PRIu16"\n", data);
+ } else {
+ av_log(avctx, AV_LOG_DEBUG, "Ignoring additional transform type %"PRIu16"\n", data);
}
- s->transform_type = data;
- av_log(avctx, AV_LOG_DEBUG, "Transform type %"PRIu16"\n", data);
} else if (abstag >= 0x4000 && abstag <= 0x40ff) {
if (abstag == 0x4001)
s->peak.level = 0;
@@ -510,7 +519,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data > bytestream2_get_bytes_left(&gb) / 4) {
av_log(avctx, AV_LOG_ERROR, "too many values (%d)\n", data);
ret = AVERROR_INVALIDDATA;
- break;
+ goto end;
}
for (i = 0; i < data; i++) {
uint32_t offset = bytestream2_get_be32(&gb);
@@ -521,7 +530,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
s->plane[s->channel_num].band[s->level][s->subband_num].width = data;
s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
@@ -530,7 +539,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
} else if (tag == BandWidth) {
@@ -538,7 +547,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
s->plane[s->channel_num].band[s->level][s->subband_num].width = data;
s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
@@ -547,7 +556,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
} else if (tag == InputFormat) {
@@ -574,7 +583,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
if (!(data == 10 || data == 12)) {
av_log(avctx, AV_LOG_ERROR, "Invalid bits per channel\n");
ret = AVERROR(EINVAL);
- break;
+ goto end;
}
avctx->bits_per_raw_sample = s->bpc = data;
} else if (tag == EncodedFormat) {
@@ -590,7 +599,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
} else {
avpriv_report_missing_feature(avctx, "Sample format of %"PRIu16, data);
ret = AVERROR_PATCHWELCOME;
- break;
+ goto end;
}
s->planes = data == 2 ? 4 : av_pix_fmt_count_planes(s->coded_format);
} else if (tag == -DisplayHeight) {
@@ -904,7 +913,8 @@ finish:
}
if (lowpass_height > s->plane[plane].band[0][0].a_height || lowpass_width > s->plane[plane].band[0][0].a_width ||
- !highpass_stride || s->plane[plane].band[0][1].width > s->plane[plane].band[0][1].a_width) {
+ !highpass_stride || s->plane[plane].band[0][1].width > s->plane[plane].band[0][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -944,7 +954,8 @@ finish:
highpass_stride = s->plane[plane].band[1][1].stride;
if (lowpass_height > s->plane[plane].band[1][1].a_height || lowpass_width > s->plane[plane].band[1][1].a_width ||
- !highpass_stride || s->plane[plane].band[1][1].width > s->plane[plane].band[1][1].a_width) {
+ !highpass_stride || s->plane[plane].band[1][1].width > s->plane[plane].band[1][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -982,7 +993,8 @@ finish:
highpass_stride = s->plane[plane].band[2][1].stride;
if (lowpass_height > s->plane[plane].band[2][1].a_height || lowpass_width > s->plane[plane].band[2][1].a_width ||
- !highpass_stride || s->plane[plane].band[2][1].width > s->plane[plane].band[2][1].a_width) {
+ !highpass_stride || s->plane[plane].band[2][1].width > s->plane[plane].band[2][1].a_width ||
+ lowpass_height < 3 || lowpass_width < 3 || lowpass_width * 2 > s->plane[plane].width) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -1018,7 +1030,7 @@ finish:
goto end;
}
- for (i = 0; i < lowpass_height * 2; i++) {
+ for (i = 0; i < s->plane[act_plane].height; i++) {
dsp->horiz_filter_clip(dst, low, high, lowpass_width, s->bpc);
if (avctx->pix_fmt == AV_PIX_FMT_GBRAP12 && act_plane == 3)
process_alpha(dst, lowpass_width * 2);
@@ -1042,7 +1054,7 @@ finish:
dst = (int16_t *)pic->data[act_plane];
low = s->plane[plane].l_h[6];
high = s->plane[plane].l_h[7];
- for (i = 0; i < lowpass_height; i++) {
+ for (i = 0; i < s->plane[act_plane].height / 2; i++) {
interlaced_vertical_filter(dst, low, high, lowpass_width * 2, pic->linesize[act_plane]/2, act_plane);
low += output_stride * 2;
high += output_stride * 2;
@@ -1068,7 +1080,8 @@ finish:
}
if (lowpass_height > s->plane[plane].band[0][0].a_height || lowpass_width > s->plane[plane].band[0][0].a_width ||
- !highpass_stride || s->plane[plane].band[0][1].width > s->plane[plane].band[0][1].a_width) {
+ !highpass_stride || s->plane[plane].band[0][1].width > s->plane[plane].band[0][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -1106,7 +1119,8 @@ finish:
highpass_stride = s->plane[plane].band[1][1].stride;
if (lowpass_height > s->plane[plane].band[1][1].a_height || lowpass_width > s->plane[plane].band[1][1].a_width ||
- !highpass_stride || s->plane[plane].band[1][1].width > s->plane[plane].band[1][1].a_width) {
+ !highpass_stride || s->plane[plane].band[1][1].width > s->plane[plane].band[1][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -1158,7 +1172,8 @@ finish:
av_log(avctx, AV_LOG_DEBUG, "temporal level %i %i %i %i\n", plane, lowpass_height, lowpass_width, highpass_stride);
if (lowpass_height > s->plane[plane].band[4][1].a_height || lowpass_width > s->plane[plane].band[4][1].a_width ||
- !highpass_stride || s->plane[plane].band[4][1].width > s->plane[plane].band[4][1].a_width) {
+ !highpass_stride || s->plane[plane].band[4][1].width > s->plane[plane].band[4][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
ret = AVERROR(EINVAL);
goto end;
@@ -1214,7 +1229,7 @@ finish:
low = s->plane[plane].l_h[6];
high = s->plane[plane].l_h[7];
- for (i = 0; i < lowpass_height * 2; i++) {
+ for (i = 0; i < s->plane[act_plane].height; i++) {
dsp->horiz_filter_clip(dst, low, high, lowpass_width, s->bpc);
low += output_stride;
high += output_stride;
@@ -1248,7 +1263,7 @@ finish:
dst = (int16_t *)pic->data[act_plane];
low = s->plane[plane].l_h[6];
high = s->plane[plane].l_h[7];
- for (i = 0; i < lowpass_height; i++) {
+ for (i = 0; i < s->plane[act_plane].height / 2; i++) {
interlaced_vertical_filter(dst, low, high, lowpass_width * 2, pic->linesize[act_plane]/2, act_plane);
low += output_stride * 2;
high += output_stride * 2;
@@ -1277,6 +1292,14 @@ finish:
output_stride = s->plane[plane].band[4][1].a_width;
lowpass_width = s->plane[plane].band[4][1].width;
+ if (lowpass_height > s->plane[plane].band[4][1].a_height || lowpass_width > s->plane[plane].band[4][1].a_width ||
+ s->plane[plane].band[4][1].width > s->plane[plane].band[4][1].a_width ||
+ lowpass_width < 3 || lowpass_height < 3) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid plane dimensions\n");
+ ret = AVERROR(EINVAL);
+ goto end;
+ }
+
if (s->progressive) {
dst = (int16_t *)pic->data[act_plane];
low = s->plane[plane].l_h[8];
@@ -1297,7 +1320,7 @@ finish:
goto end;
}
- for (i = 0; i < lowpass_height * 2; i++) {
+ for (i = 0; i < s->plane[act_plane].height; i++) {
dsp->horiz_filter_clip(dst, low, high, lowpass_width, s->bpc);
low += output_stride;
high += output_stride;
@@ -1307,7 +1330,7 @@ finish:
dst = (int16_t *)pic->data[act_plane];
low = s->plane[plane].l_h[8];
high = s->plane[plane].l_h[9];
- for (i = 0; i < lowpass_height; i++) {
+ for (i = 0; i < s->plane[act_plane].height / 2; i++) {
interlaced_vertical_filter(dst, low, high, lowpass_width * 2, pic->linesize[act_plane]/2, act_plane);
low += output_stride * 2;
high += output_stride * 2;
--
2.17.1
More information about the ffmpeg-devel
mailing list