From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id EFE9B4DFFA for ; Sun, 27 Apr 2025 08:49:01 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 980A4687D69; Sun, 27 Apr 2025 11:48:57 +0300 (EEST) Received: from sender2-op-o11.zoho.eu (sender2-op-o11.zoho.eu [136.143.171.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0312A687D57 for ; Sun, 27 Apr 2025 11:48:50 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; t=1745743728; cv=none; d=zohomail.eu; s=zohoarc; b=ZOqAW6pUDiPX2jvszwY/xGi+737IdZc1EaWw55MeTV2JWVJKdY2l2u7vDFVTZdjeas2TZ8eTjwA19+ydZ0wTZubqXISXSmJLtzAmXunJIvQWI7Nwk6BxncP5IUaLM1H19vKY8cUgBqWl8lr6hZcPAgEmyVH4U/POy/tF3cERpkc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1745743728; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=5kyL6Ff6WaB5g031FJ+wK8+/Vs3X/4YCj0y/LVA9ls0=; b=C4lZPT83GT9ffDocnhtCZu6zQhc9VdPSTC1x77F9W3al8p8NPdrUg79ad3y9ZDSwdy6lu6Gz+BqkUDUD4H1IZZR0wv7qVCRw4+BpmeSJn1AAYldhP9dM4UxI1+ugRst0K/etHgdp3RVC87HSPCPOpt1yfqWrKG1cp9YK85cIvGg= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=frankplowman.com; spf=pass smtp.mailfrom=post@frankplowman.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1745743728; s=zmail; d=frankplowman.com; i=post@frankplowman.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To; bh=5kyL6Ff6WaB5g031FJ+wK8+/Vs3X/4YCj0y/LVA9ls0=; b=CyqzdLuRuDqYDZusVx39syGLfwQ+KKngAby3PLr9Nw83GZT47pE8Nf+yddI0rG24 NCrfW5WVa41WH/XiR6+cu4ndCzNWFr10bpIP9MXQFbEMKs5td2PjOCPXmTHlXM5Cvki tZie2BJ0yjUdtDt45BZ5msLmEJhklY8f3TsRdbXI= Received: by mx.zoho.eu with SMTPS id 174574372635750.8270661211136; Sun, 27 Apr 2025 10:48:46 +0200 (CEST) From: Frank Plowman To: ffmpeg-devel@ffmpeg.org Date: Sun, 27 Apr 2025 09:47:52 +0100 Message-ID: <20250427084843.39670-1-post@frankplowman.com> X-Mailer: git-send-email 2.47.0 MIME-Version: 1.0 X-ZohoMailClient: External Subject: [FFmpeg-devel] [PATCH v2] lavc/vvc: Detect subpic overlaps at CTU level X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Frank Plowman , nuomi2021@gmail.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: In d5dbcc00d889fb17948b025a468b00ddbea9e058, it was hoped that detection of subpicture overlaps could be performed at the tile level, so as to avoid introducing per-CTU checks. Unfortunately since that patch, fuzzing has indicated there are some structures involving pps_subpic_one_or_more_tiles_slice where tile-level checking is not sufficient. Performing the check at the CTU level should (touch wood) be the be-all and and-all of this, as CTUs are the lowest common denominator of the picture partitioning. Signed-off-by: Frank Plowman --- Changes since v1: * Merge pps_add_ctus and pps_add_ctus_check * Change if/else for early-exit where possible --- libavcodec/vvc/ps.c | 71 ++++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c index e8c312d8ac..ed96268bae 100644 --- a/libavcodec/vvc/ps.c +++ b/libavcodec/vvc/ps.c @@ -408,6 +408,8 @@ static int pps_add_ctus(VVCPPS *pps, int *off, const int rx, const int ry, int start = *off; for (int y = 0; y < h; y++) { for (int x = 0; x < w; x++) { + if (*off >= pps->ctb_count) + return AVERROR_INVALIDDATA; pps->ctb_addr_in_slice[*off] = ctu_rs(rx + x, ry + y, pps); (*off)++; } @@ -420,9 +422,11 @@ static void pps_single_slice_picture(VVCPPS *pps, int *off) pps->num_ctus_in_slice[0] = 0; for (int j = 0; j < pps->r->num_tile_rows; j++) { for (int i = 0; i < pps->r->num_tile_columns; i++) { - pps->num_ctus_in_slice[0] += pps_add_ctus(pps, off, + const int ret = pps_add_ctus(pps, off, pps->col_bd[i], pps->row_bd[j], pps->r->col_width_val[i], pps->r->row_height_val[j]); + av_assert2(ret >= 0); + pps->num_ctus_in_slice[0] += ret; } } } @@ -451,50 +455,36 @@ static void subpic_tiles(int *tile_x, int *tile_y, int *tile_x_end, int *tile_y_ (*tile_y_end)++; } -static bool mark_tile_as_used(bool *tile_in_subpic, const int tx, const int ty, const int tile_columns) -{ - const size_t tile_idx = ty * tile_columns + tx; - if (tile_in_subpic[tile_idx]) { - /* the tile is covered by other subpictures */ - return false; - } - tile_in_subpic[tile_idx] = true; - return true; -} - -static int pps_subpic_less_than_one_tile_slice(VVCPPS *pps, const VVCSPS *sps, const int i, const int tx, const int ty, int *off, bool *tile_in_subpic) +static int pps_subpic_less_than_one_tile_slice(VVCPPS *pps, const VVCSPS *sps, const int i, const int tx, const int ty, int *off) { - const int subpic_bottom = sps->r->sps_subpic_ctu_top_left_y[i] + sps->r->sps_subpic_height_minus1[i]; - const int tile_bottom = pps->row_bd[ty] + pps->r->row_height_val[ty] - 1; - const bool is_final_subpic_in_tile = subpic_bottom == tile_bottom; - - if (is_final_subpic_in_tile && !mark_tile_as_used(tile_in_subpic, tx, ty, pps->r->num_tile_columns)) - return AVERROR_INVALIDDATA; - - pps->num_ctus_in_slice[i] = pps_add_ctus(pps, off, + const int ret = pps_add_ctus(pps, off, sps->r->sps_subpic_ctu_top_left_x[i], sps->r->sps_subpic_ctu_top_left_y[i], sps->r->sps_subpic_width_minus1[i] + 1, sps->r->sps_subpic_height_minus1[i] + 1); + if (ret < 0) + return ret; + pps->num_ctus_in_slice[i] = ret; return 0; } static int pps_subpic_one_or_more_tiles_slice(VVCPPS *pps, const int tile_x, const int tile_y, const int x_end, const int y_end, - const int i, int *off, bool *tile_in_subpic) + const int i, int *off) { for (int ty = tile_y; ty < y_end; ty++) { for (int tx = tile_x; tx < x_end; tx++) { - if (!mark_tile_as_used(tile_in_subpic, tx, ty, pps->r->num_tile_columns)) - return AVERROR_INVALIDDATA; - - pps->num_ctus_in_slice[i] += pps_add_ctus(pps, off, + const int ret = pps_add_ctus(pps, off, pps->col_bd[tx], pps->row_bd[ty], pps->r->col_width_val[tx], pps->r->row_height_val[ty]); + if (ret < 0) + return ret; + + pps->num_ctus_in_slice[i] += ret; } } return 0; } -static int pps_subpic_slice(VVCPPS *pps, const VVCSPS *sps, const int i, int *off, bool *tile_in_subpic) +static int pps_subpic_slice(VVCPPS *pps, const VVCSPS *sps, const int i, int *off) { int tx, ty, x_end, y_end; @@ -503,9 +493,9 @@ static int pps_subpic_slice(VVCPPS *pps, const VVCSPS *sps, const int i, int *of subpic_tiles(&tx, &ty, &x_end, &y_end, sps, pps, i); if (ty + 1 == y_end && sps->r->sps_subpic_height_minus1[i] + 1 < pps->r->row_height_val[ty]) - return pps_subpic_less_than_one_tile_slice(pps, sps, i, tx, ty, off, tile_in_subpic); + return pps_subpic_less_than_one_tile_slice(pps, sps, i, tx, ty, off); else - return pps_subpic_one_or_more_tiles_slice(pps, tx, ty, x_end, y_end, i, off, tile_in_subpic); + return pps_subpic_one_or_more_tiles_slice(pps, tx, ty, x_end, y_end, i, off); } static int pps_single_slice_per_subpic(VVCPPS *pps, const VVCSPS *sps, int *off) @@ -513,18 +503,11 @@ static int pps_single_slice_per_subpic(VVCPPS *pps, const VVCSPS *sps, int *off) if (!sps->r->sps_subpic_info_present_flag) { pps_single_slice_picture(pps, off); } else { - bool tile_in_subpic[VVC_MAX_TILES_PER_AU] = {0}; for (int i = 0; i < pps->r->pps_num_slices_in_pic_minus1 + 1; i++) { - const int ret = pps_subpic_slice(pps, sps, i, off, tile_in_subpic); + const int ret = pps_subpic_slice(pps, sps, i, off); if (ret < 0) return ret; } - - // We only use tile_in_subpic to check that the subpictures don't overlap - // here; we don't use tile_in_subpic to check that the subpictures cover - // every tile. It is possible to avoid doing this work here because the - // covering property of subpictures is already guaranteed by the mechanisms - // which check every CTU belongs to a slice. } return 0; } @@ -538,9 +521,12 @@ static int pps_one_tile_slices(VVCPPS *pps, const int tile_idx, int i, int *off) ctu_xy(&rx, &ry, tile_x, tile_y, pps); ctu_y_end = ry + r->row_height_val[tile_y]; while (ry < ctu_y_end) { + int ret; pps->slice_start_offset[i] = *off; - pps->num_ctus_in_slice[i] = pps_add_ctus(pps, off, rx, ry, + ret = pps_add_ctus(pps, off, rx, ry, r->col_width_val[tile_x], r->slice_height_in_ctus[i]); + av_assert2(ret >= 0); + pps->num_ctus_in_slice[i] = ret; ry += r->slice_height_in_ctus[i++]; } i--; @@ -557,13 +543,16 @@ static int pps_multi_tiles_slice(VVCPPS *pps, const int tile_idx, const int i, i pps->num_ctus_in_slice[i] = 0; for (int ty = tile_y; ty <= tile_y + r->pps_slice_height_in_tiles_minus1[i]; ty++) { for (int tx = tile_x; tx <= tile_x + r->pps_slice_width_in_tiles_minus1[i]; tx++) { + int ret; const int idx = ty * r->num_tile_columns + tx; if (tile_in_slice[idx]) return AVERROR_INVALIDDATA; tile_in_slice[idx] = true; ctu_xy(&rx, &ry, tx, ty, pps); - pps->num_ctus_in_slice[i] += pps_add_ctus(pps, off, rx, ry, + ret = pps_add_ctus(pps, off, rx, ry, r->col_width_val[tx], r->row_height_val[ty]); + av_assert2(ret >= 0); + pps->num_ctus_in_slice[i] += ret; } } @@ -610,8 +599,10 @@ static void pps_no_rect_slice(VVCPPS* pps) for (int tile_y = 0; tile_y < r->num_tile_rows; tile_y++) { for (int tile_x = 0; tile_x < r->num_tile_columns; tile_x++) { + int ret; ctu_xy(&rx, &ry, tile_x, tile_y, pps); - pps_add_ctus(pps, &off, rx, ry, r->col_width_val[tile_x], r->row_height_val[tile_y]); + ret = pps_add_ctus(pps, &off, rx, ry, r->col_width_val[tile_x], r->row_height_val[tile_y]); + av_assert2(ret >= 0); } } } -- 2.47.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".