According to ITU-T H.265 7.4.2.1 this byte sequence should not appear in a
NAL unit but in practice in rare cases it seems it does, possibly due to buggy
encoders. Other players like VLC and Quicktime seem to be fine with it.
Currently when this sequence is found it is treated as if the next start code
has been found and the NAL unit gets truncated.
This change limits the code to only look for first start code 0x0000001 or
first escape 0x000003.
Sadly i can't share the original source file with the issue but the first
80 bytes of the NAL unit looks like this:
│00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f│0123456789abcdef│
0x00000│00 00 00 01 02 01 d0 bc 57 a1 b8 44 70 01 00 0b│........W..Dp...│
0x00010│80 2e 00 c2 6c ec 3e b9 e3 03 fb 91 2e d2 43 cb│....l.>.......C.│
0x00020│1d 2c 00 00 02 00 02 00 5c 93 72 6f 31 76 18 00│.,......\.ro1v..│
0x00030│08 38 aa b1 4c 33 3f fd 08 cb 77 9b d4 3c db 02│.8..L3?...w..<..│
0x00040│a2 04 73 15 75 de 3b c4 67 c0 8f ca ad 31 f1 99│..s.u.;.g....1..│
Signed-off-by: Anton Khirnov <anton@khirnov.net>
It does not exist for NALUs for which the SODB is empty;
it also does not exist for NALUs for which not even
the complete header is present. The former category contains
end of sequence and end of bitstream units. The latter category
consists of one-byte HEVC units (the ordinary H.264 header is only
one byte long).
This commit therefore stops stripping RBSP trailing padding
from the former type of unit and discards the latter type of unit
altogether.
This also fixes an assertion failure: Before this commit, a one-byte
HEVC NALU from an ISOBMFF packet could pass all the checks in
hevc_parse_nal_header() (because the first byte of the size field
of the next unit is mistaken as containing the temporal_id);
yet because the trailing padding bits were stripped, its actually
had a size of less than eight bits; because h2645_parse.c uses
the checked bitstream reader, the get_bits_count() of the GetBitContext
is not 16 in this case; it is not even a multiple of eight
and this can trigger an assert in ff_hevc_decode_nal_sei().
Fixes: Assertion failure
Fixes: 46662/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4947860854013952
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Forgotten in 03b82b3ab9.
(Moving data to the front is only done to make existing
initializations like H2645NAL nal = { NULL } not emit int->pointer
conversion warnings.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit fixes the names and constants of the reserved NAL units
with nal_unit_type 22 resp. 23. They were "IRAP_IRAP_VLC2x", but are
actually "RSV_IRAP_VLC2x".
This also required a change to cbs_h265_syntax_template.c.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
HEVC standard supports multi-layer streams (ITU-T H.265 02/2018 Annex
F). Each NAL unit belongs to a particular layer defined by nuh_layer_id
in the header.
Currently, all NAL units that do not belong to a base layer are
automatically removed in ff_h2645_packet_split(). Some data may
therefore be lost when future filters/decoders are designed to support
multi-layer streams.
A better approach is to forward nuh_layer_id > 0 packets and let blocks
down the chain decide how to process them. The condition to remove
packets has been moved to hevcdec and cbs.
Found-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
Without reseting nal_buffer_size, av_fast_realloc will fail if
ff_h2645_packet_split is called with the unitialized pkt as argument.
Signed-off-by: James Almer <jamrial@gmail.com>
This is in preparation for a patch for cbs_h2645. Now the packet's
rbsp_buffer can be owned by an AVBuffer.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
* commit '83b2b34d06e74cc8775ba3d833f9782505e17539':
h2645_parse: use the bytestream2 API for packet splitting
Merged-by: James Almer <jamrial@gmail.com>
* commit 'c359d624d3efc3fd1d83210d78c4152bd329b765':
hevcdec: move decoder-independent declarations into a separate header
Merged-by: James Almer <jamrial@gmail.com>
The code does some nontrivial jumping around in the buffer, so it is
safer to use a checked API rather than do everything manually.
Fixes a bug in nalff parsing, where the length field is currently not
counted in the buffer size check, resulting in possible overreads with
invalid files.
CC: libav-stable@libav.org
Bug-Id: 1002
Found-By: Kamil Frankowicz
Fixes use of uninitialized memory
Fixes: 044100cb22845944988a4bd821ff8074/asan_heap-oob_329927a_1366_c3de34ce9217dac820fbb46171031bbb.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The parser changes have lost the support for the needed padding, this adds it back
Fixes out of array reads
Fixes: 03ea21d271abc8acf428d42ace51d8b4/asan_heap-oob_3358eef_5692_16f0cc01ab5225e9ce591659e5c20e35.mkv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes a regression in ca2f19b9cc with some mov/mp4 files. The files have
several NAL units in the supposed single NAL unit after the size field.
Annex B start code prefixes are used to separate them. The first NAL unit
is correctly parsed but the buffer does not point to the next size field.
Instead semi random data (it seems to be the rbsp_stop_one_bit and the
start code prefix) is then parsed as length and will exceed the
remaining length of the buffer.
Patch based on the code in h264's decode_nal_units() and a similar
patch by Hendrik Leppkes in FFmpeg (a9bb4cf87d).
Bug-Id: ffmpeg/trac5529
Reported-By: Vittorio Giovara
Some streams contain an additional AnnexB NAL inside the mp4/nalff NALU.
This commonly occurs in interlaced streams where both fields are packed
into the same MP4 NAL with an AnnexB startcode in between.
Port handling of this format from the previous h264 nal handling.
Fixes trac #5529
This ports the fix from 033a533 to the new parser module in prepartion
of using it for the h264 decoder.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
* commit '90ed6c5cf7f236bc9efb47c97b40358c666d1386':
h2645_parse: compute the actual data length, without trailing paddding
Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
* commit '8229eff4b7a98ae5d85bb75f3bb072781b4a8ebe':
h2645_parse: add a function for uninitializing the packet
Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Mattias Wadman
Nuo Mi
Andreas Rheinhardt
Michael Niedermayer
Andreas Rheinhardt
James Almer
Andriy Gelman
Derek Buitenhuis
Andreas Rheinhardt
Jun Zhao
Kieran Kunhya
Clément Bœsch
Anton Khirnov
Vittorio Giovara
Janne Grunau
Hendrik Leppkes