From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 226B34B01B
	for <ffmpegdev@gitmailbox.com>; Sun, 26 May 2024 09:16:35 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2A67E68D4AB;
	Sun, 26 May 2024 12:16:33 +0300 (EEST)
Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 36FA768CBDF
 for <ffmpeg-devel@ffmpeg.org>; Sun, 26 May 2024 12:16:27 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; t=1716714983; cv=none; d=zohomail.eu; s=zohoarc; 
 b=lDYtik7c7z0REhkv/2AB7IAVT/kMreY9w0Vq0CWutjIv3ARx6PpsGbe+cgCz96w0Li9Jc/G94eB9+ukHL7zo90paGX34POUjG29L//6soEWHkmSAij3e+2ENKyqmMq5t6rQenOWn6njYe/8XWR2NtlgTyw5/q0dVXkpdsc2ALOA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1716714983;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=t7Ymhs1oFcVLpEzSDG9MfZ7gccRy1+xrpFw+LFE92zo=; 
 b=P1zhL3sf9GENdAZGQji0E1b9/KeedM8fOlK66E5GWomrkke2t6vQmK0uwB5Tu1s7XYbnTcbGGyAhUHd8/BncWocYvVLu6Ty0MmznxkTILySWknrlYhI2aHgvPEyBjnQ3HT4AfjnBOF430LZMQUdxHpZxoefUNGhVbNGSkjgFdXQ=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1716714983; 
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=t7Ymhs1oFcVLpEzSDG9MfZ7gccRy1+xrpFw+LFE92zo=;
 b=KUo4Nln3Bnf2Gc8yKcMxPZH/XeJCv9sw0F8dfS3gGyzcHsjCdaTFUs87OlyVgHzM
 0tO89fBfuWXwh+0tQpFMT/W7pDBnKJjnVXNX/cCZT6vji6ASVQ2EL/2CQHGA7LvbJL5
 PL6tiXDMv4LgY5MrXVtLzzJkHXRNAxpqUQE8aIAk=
Received: by mx.zoho.eu with SMTPS id 1716714981132641.5194332818353;
 Sun, 26 May 2024 11:16:21 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 26 May 2024 10:16:18 +0100
Message-ID: <20240526091618.24432-1-post@frankplowman.com>
X-Mailer: git-send-email 2.44.0
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Validate temporal MVP references
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>, Nuo Mi <nuomi2021@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240526091618.24432-1-post@frankplowman.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Per VVCv3 p. 157, the collocated reference picture used in temporal
motion vector prediction must have RprConstraintsActiveFlag equal to
zero and the same CTU size as the current picture.  Add these checks,
fixing crashes decoding some fuzzed bitstreams.

Additionally, only set up the collocated reference picture if it is
actually going to be used (i.e. if ph_temporal_mvp_enabled_flag is 1),
else legal RPR bitstreams will fail the new checks.

Co-authored-by: Nuo Mi <nuomi2021@gmail.com>
Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/refs.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c
index fb42963034..8b7ba639a3 100644
--- a/libavcodec/vvc/refs.c
+++ b/libavcodec/vvc/refs.c
@@ -506,9 +506,14 @@ int ff_vvc_slice_rpl(VVCContext *s, VVCFrameContext *fc, SliceContext *sc)
                 return ret;
             }
         }
-        if ((!rsh->sh_collocated_from_l0_flag) == lx &&
-            rsh->sh_collocated_ref_idx < rpl->nb_refs)
-            fc->ref->collocated_ref = rpl->refs[rsh->sh_collocated_ref_idx].ref;
+        if (ph->r->ph_temporal_mvp_enabled_flag &&
+            (!rsh->sh_collocated_from_l0_flag) == lx &&
+            rsh->sh_collocated_ref_idx < rpl->nb_refs) {
+            const VVCRefPic *refp = rpl->refs + rsh->sh_collocated_ref_idx;
+            if (refp->is_scaled || refp->ref->sps->ctb_log2_size_y != sps->ctb_log2_size_y)
+                return AVERROR_INVALIDDATA;
+            fc->ref->collocated_ref = refp->ref;
+        }
     }
     return 0;
 }
-- 
2.44.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".