mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2025-01-22 15:23:42 +00:00
de6df46120
Also move EC ref initialization to where the EC code is called. Fixes out of array read Fixes: asan_heap-uaf_143f420_142_20110805_112659_ch0.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
232 lines
7.1 KiB
C
232 lines
7.1 KiB
C
/*
|
|
* H.26L/H.264/AVC/JVT/14496-10/... decoder
|
|
* Copyright (c) 2003 Michael Niedermayer <michaelni@gmx.at>
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
/**
|
|
* @file
|
|
* H.264 / AVC / MPEG4 part10 codec.
|
|
* @author Michael Niedermayer <michaelni@gmx.at>
|
|
*/
|
|
|
|
#include "libavutil/avassert.h"
|
|
#include "libavutil/imgutils.h"
|
|
#include "libavutil/timer.h"
|
|
#include "internal.h"
|
|
#include "cabac.h"
|
|
#include "cabac_functions.h"
|
|
#include "error_resilience.h"
|
|
#include "avcodec.h"
|
|
#include "h264.h"
|
|
#include "h264data.h"
|
|
#include "h264chroma.h"
|
|
#include "h264_mvpred.h"
|
|
#include "golomb.h"
|
|
#include "mathops.h"
|
|
#include "mpegutils.h"
|
|
#include "rectangle.h"
|
|
#include "thread.h"
|
|
#include "vdpau_internal.h"
|
|
|
|
void ff_h264_unref_picture(H264Context *h, H264Picture *pic)
|
|
{
|
|
int off = offsetof(H264Picture, tf) + sizeof(pic->tf);
|
|
int i;
|
|
|
|
if (!pic->f.buf[0])
|
|
return;
|
|
|
|
ff_thread_release_buffer(h->avctx, &pic->tf);
|
|
av_buffer_unref(&pic->hwaccel_priv_buf);
|
|
|
|
av_buffer_unref(&pic->qscale_table_buf);
|
|
av_buffer_unref(&pic->mb_type_buf);
|
|
for (i = 0; i < 2; i++) {
|
|
av_buffer_unref(&pic->motion_val_buf[i]);
|
|
av_buffer_unref(&pic->ref_index_buf[i]);
|
|
}
|
|
|
|
memset((uint8_t*)pic + off, 0, sizeof(*pic) - off);
|
|
}
|
|
|
|
int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src)
|
|
{
|
|
int ret, i;
|
|
|
|
av_assert0(!dst->f.buf[0]);
|
|
av_assert0(src->f.buf[0]);
|
|
|
|
src->tf.f = &src->f;
|
|
dst->tf.f = &dst->f;
|
|
ret = ff_thread_ref_frame(&dst->tf, &src->tf);
|
|
if (ret < 0)
|
|
goto fail;
|
|
|
|
dst->qscale_table_buf = av_buffer_ref(src->qscale_table_buf);
|
|
dst->mb_type_buf = av_buffer_ref(src->mb_type_buf);
|
|
if (!dst->qscale_table_buf || !dst->mb_type_buf)
|
|
goto fail;
|
|
dst->qscale_table = src->qscale_table;
|
|
dst->mb_type = src->mb_type;
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
dst->motion_val_buf[i] = av_buffer_ref(src->motion_val_buf[i]);
|
|
dst->ref_index_buf[i] = av_buffer_ref(src->ref_index_buf[i]);
|
|
if (!dst->motion_val_buf[i] || !dst->ref_index_buf[i])
|
|
goto fail;
|
|
dst->motion_val[i] = src->motion_val[i];
|
|
dst->ref_index[i] = src->ref_index[i];
|
|
}
|
|
|
|
if (src->hwaccel_picture_private) {
|
|
dst->hwaccel_priv_buf = av_buffer_ref(src->hwaccel_priv_buf);
|
|
if (!dst->hwaccel_priv_buf)
|
|
goto fail;
|
|
dst->hwaccel_picture_private = dst->hwaccel_priv_buf->data;
|
|
}
|
|
|
|
for (i = 0; i < 2; i++)
|
|
dst->field_poc[i] = src->field_poc[i];
|
|
|
|
memcpy(dst->ref_poc, src->ref_poc, sizeof(src->ref_poc));
|
|
memcpy(dst->ref_count, src->ref_count, sizeof(src->ref_count));
|
|
|
|
dst->poc = src->poc;
|
|
dst->frame_num = src->frame_num;
|
|
dst->mmco_reset = src->mmco_reset;
|
|
dst->pic_id = src->pic_id;
|
|
dst->long_ref = src->long_ref;
|
|
dst->mbaff = src->mbaff;
|
|
dst->field_picture = src->field_picture;
|
|
dst->needs_realloc = src->needs_realloc;
|
|
dst->reference = src->reference;
|
|
dst->crop = src->crop;
|
|
dst->crop_left = src->crop_left;
|
|
dst->crop_top = src->crop_top;
|
|
dst->recovered = src->recovered;
|
|
dst->invalid_gap = src->invalid_gap;
|
|
dst->sei_recovery_frame_cnt = src->sei_recovery_frame_cnt;
|
|
|
|
return 0;
|
|
fail:
|
|
ff_h264_unref_picture(h, dst);
|
|
return ret;
|
|
}
|
|
|
|
void ff_h264_set_erpic(ERPicture *dst, H264Picture *src)
|
|
{
|
|
#if CONFIG_ERROR_RESILIENCE
|
|
int i;
|
|
|
|
memset(dst, 0, sizeof(*dst));
|
|
|
|
if (!src)
|
|
return;
|
|
|
|
dst->f = &src->f;
|
|
dst->tf = &src->tf;
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
dst->motion_val[i] = src->motion_val[i];
|
|
dst->ref_index[i] = src->ref_index[i];
|
|
}
|
|
|
|
dst->mb_type = src->mb_type;
|
|
dst->field_picture = src->field_picture;
|
|
#endif /* CONFIG_ERROR_RESILIENCE */
|
|
}
|
|
|
|
int ff_h264_field_end(H264Context *h, int in_setup)
|
|
{
|
|
AVCodecContext *const avctx = h->avctx;
|
|
int err = 0;
|
|
h->mb_y = 0;
|
|
|
|
if (CONFIG_H264_VDPAU_DECODER &&
|
|
h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)
|
|
ff_vdpau_h264_set_reference_frames(h);
|
|
|
|
if (in_setup || !(avctx->active_thread_type & FF_THREAD_FRAME)) {
|
|
if (!h->droppable) {
|
|
err = ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index);
|
|
h->prev_poc_msb = h->poc_msb;
|
|
h->prev_poc_lsb = h->poc_lsb;
|
|
}
|
|
h->prev_frame_num_offset = h->frame_num_offset;
|
|
h->prev_frame_num = h->frame_num;
|
|
h->outputed_poc = h->next_outputed_poc;
|
|
}
|
|
|
|
if (avctx->hwaccel) {
|
|
if (avctx->hwaccel->end_frame(avctx) < 0)
|
|
av_log(avctx, AV_LOG_ERROR,
|
|
"hardware accelerator failed to decode picture\n");
|
|
}
|
|
|
|
if (CONFIG_H264_VDPAU_DECODER &&
|
|
h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU)
|
|
ff_vdpau_h264_picture_complete(h);
|
|
|
|
#if CONFIG_ERROR_RESILIENCE
|
|
/*
|
|
* FIXME: Error handling code does not seem to support interlaced
|
|
* when slices span multiple rows
|
|
* The ff_er_add_slice calls don't work right for bottom
|
|
* fields; they cause massive erroneous error concealing
|
|
* Error marking covers both fields (top and bottom).
|
|
* This causes a mismatched s->error_count
|
|
* and a bad error table. Further, the error count goes to
|
|
* INT_MAX when called for bottom field, because mb_y is
|
|
* past end by one (callers fault) and resync_mb_y != 0
|
|
* causes problems for the first MB line, too.
|
|
*/
|
|
if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new) {
|
|
int use_last_pic = h->last_pic_for_ec.f.buf[0] && !h->ref_count[0];
|
|
|
|
ff_h264_set_erpic(&h->er.cur_pic, h->cur_pic_ptr);
|
|
|
|
if (use_last_pic) {
|
|
ff_h264_set_erpic(&h->er.last_pic, &h->last_pic_for_ec);
|
|
COPY_PICTURE(&h->ref_list[0][0], &h->last_pic_for_ec);
|
|
} else if (h->ref_count[0]) {
|
|
ff_h264_set_erpic(&h->er.last_pic, &h->ref_list[0][0]);
|
|
} else
|
|
ff_h264_set_erpic(&h->er.last_pic, NULL);
|
|
|
|
if (h->ref_count[1])
|
|
ff_h264_set_erpic(&h->er.next_pic, &h->ref_list[1][0]);
|
|
|
|
h->er.ref_count = h->ref_count[0];
|
|
|
|
ff_er_frame_end(&h->er);
|
|
if (use_last_pic)
|
|
memset(&h->ref_list[0][0], 0, sizeof(h->last_pic_for_ec));
|
|
}
|
|
#endif /* CONFIG_ERROR_RESILIENCE */
|
|
|
|
if (!in_setup && !h->droppable)
|
|
ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX,
|
|
h->picture_structure == PICT_BOTTOM_FIELD);
|
|
emms_c();
|
|
|
|
h->current_slice = 0;
|
|
|
|
return err;
|
|
}
|