From 27358f99106eb20e8c2bf3fe7cabf9330c099aca Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 21 Mar 2020 13:36:30 -0700 Subject: [PATCH 1/6] svc_split: prevent memory leak Since pps_buf[...] might be allocated here already, prevent a memory leak by calling realloc instead of malloc. --- svc_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/svc_split.c b/svc_split.c index 0a389f5..adc13bf 100644 --- a/svc_split.c +++ b/svc_split.c @@ -108,7 +108,7 @@ int main(int argc, char *argv[]) break; case NAL_UNIT_TYPE_PPS: - pps_buf[h->pps->pic_parameter_set_id] = malloc(nal_end); + pps_buf[h->pps->pic_parameter_set_id] = realloc(pps_buf[h->pps->pic_parameter_set_id], nal_end); memcpy(pps_buf[h->pps->pic_parameter_set_id], p - nal_start, nal_end); pps_buf_size[h->pps->pic_parameter_set_id] = nal_end; From 33115ecc535403aad89d16622f58987a9aa43fbf Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 21 Mar 2020 13:39:57 -0700 Subject: [PATCH 2/6] h264_analyze: constraint_byte is unread The value is being overwritten instead of or'd, which appears to be the intention. --- h264_analyze.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/h264_analyze.c b/h264_analyze.c index 373f325..5eef8ac 100644 --- a/h264_analyze.c +++ b/h264_analyze.c @@ -149,11 +149,10 @@ int main(int argc, char *argv[]) { // print codec parameter, per RFC 6381. int constraint_byte = h->sps->constraint_set0_flag << 7; - constraint_byte = h->sps->constraint_set1_flag << 6; - constraint_byte = h->sps->constraint_set2_flag << 5; - constraint_byte = h->sps->constraint_set3_flag << 4; - constraint_byte = h->sps->constraint_set4_flag << 3; - constraint_byte = h->sps->constraint_set4_flag << 3; + constraint_byte |= h->sps->constraint_set1_flag << 6; + constraint_byte |= h->sps->constraint_set2_flag << 5; + constraint_byte |= h->sps->constraint_set3_flag << 4; + constraint_byte |= h->sps->constraint_set4_flag << 3; fprintf( h264_dbgfile, "codec: avc1.%02X%02X%02X\n",h->sps->profile_idc, constraint_byte, h->sps->level_idc ); From 7422c48a5a619d213096acd6836a993e17c94b4f Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 21 Mar 2020 13:40:47 -0700 Subject: [PATCH 3/6] h264_analyze: bail out before allocations We're allocating and then checking to see if there are enough arguments. This causes valgrind to report a memory leak, even if it doesn't matter; therefore, just fix. --- h264_analyze.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/h264_analyze.c b/h264_analyze.c index 5eef8ac..fd3fdba 100644 --- a/h264_analyze.c +++ b/h264_analyze.c @@ -64,12 +64,12 @@ int main(int argc, char *argv[]) { FILE* infile; + if (argc < 2) { usage(); return EXIT_FAILURE; } + uint8_t* buf = (uint8_t*)malloc( BUFSIZE ); h264_stream_t* h = h264_new(); - if (argc < 2) { usage(); return EXIT_FAILURE; } - int opt_verbose = 1; int opt_probe = 0; From 622f1914d81b04e20a0d8a43a07273b491ff5786 Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 9 May 2020 19:11:41 -0700 Subject: [PATCH 4/6] h264_nal/find_nal_unit: fix buffer overread This function was not always checking to see buf[i+x] was inside the buffer before reading the memory. Now it does. --- h264_nal.c | 45 +++++++++++++++++++++------------------------ 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/h264_nal.c b/h264_nal.c index 0b883f8..adc696c 100755 --- a/h264_nal.c +++ b/h264_nal.c @@ -139,35 +139,32 @@ int find_nal_unit(uint8_t* buf, int size, int* nal_start, int* nal_end) *nal_end = 0; i = 0; - while ( //( next_bits( 24 ) != 0x000001 && next_bits( 32 ) != 0x00000001 ) - (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0x01) && - (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0 || buf[i+3] != 0x01) - ) - { - i++; // skip leading zero - if (i+4 >= size) { return 0; } // did not find nal start - } - if (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0x01) // ( next_bits( 24 ) != 0x000001 ) - { - i++; - } + static const uint8_t bits24_0[] = { 0x0, 0x0, 0x0 }; + static const uint8_t bits24_1[] = { 0x0, 0x0, 0x1 }; + static const uint8_t bits32_1[] = { 0x0, 0x0, 0x0, 0x1 }; - if (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0x01) { /* error, should never happen */ return 0; } - i+= 3; + for (; i < size; ++i) { //( next_bits( 24 ) != 0x000001 && next_bits( 32 ) != 0x00000001 ) + if (i + sizeof(bits24_1) <= size && 0==memcmp(buf+i, bits24_1, sizeof(bits24_1))) { + i += sizeof(bits24_1); + break; + } + if (i + sizeof(bits32_1) <= size && 0==memcmp(buf+i, bits32_1, sizeof(bits32_1))) { + i += sizeof(bits32_1); + break; + } + } + if (i >= size) { return -1; } // did not find nal start *nal_start = i; - - while ( //( next_bits( 24 ) != 0x000000 && next_bits( 24 ) != 0x000001 ) - (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0) && - (buf[i] != 0 || buf[i+1] != 0 || buf[i+2] != 0x01) - ) - { - i++; - // FIXME the next line fails when reading a nal that ends exactly at the end of the data - if (i+3 >= size) { *nal_end = size; return -1; } // did not find nal end, stream ended first + + for (++i; i < size; ++i) { //( next_bits( 24 ) != 0x000000 && next_bits( 24 ) != 0x000001 ) + if (i + sizeof(bits24_0) <= size && 0==memcmp(buf+i, bits24_1, sizeof(bits24_0))) break; + if (i + sizeof(bits24_1) <= size && 0==memcmp(buf+i, bits24_1, sizeof(bits24_1))) break; } - + + if (i >= size) { return -1; } // did not find nal end *nal_end = i; + return (*nal_end - *nal_start); } From 7fdb2485d7acc727f08f1c254e0d6e2417118cb9 Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 9 May 2020 19:21:39 -0700 Subject: [PATCH 5/6] h264_stream: fix leak in read_debug_nal_unit + write_nal_unit In one error path, `b` and `rbsp_buf` were being leaked. It's worth noting that this was fixed in read_nal_unit. --- h264_stream.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/h264_stream.c b/h264_stream.c index db520e8..8341a82 100644 --- a/h264_stream.c +++ b/h264_stream.c @@ -1610,6 +1610,8 @@ int write_nal_unit(h264_stream_t* h, uint8_t* buf, int size) case NAL_UNIT_TYPE_CODED_SLICE_DATA_PARTITION_B: case NAL_UNIT_TYPE_CODED_SLICE_DATA_PARTITION_C: default: + bs_free(b); + free(rbsp_buf); return -1; } @@ -2939,6 +2941,8 @@ int read_debug_nal_unit(h264_stream_t* h, uint8_t* buf, int size) case NAL_UNIT_TYPE_CODED_SLICE_DATA_PARTITION_B: case NAL_UNIT_TYPE_CODED_SLICE_DATA_PARTITION_C: default: + bs_free(b); + free(rbsp_buf); return -1; } From 2ecde3e872cc7d70fb4a1c075fcd0aa055666c59 Mon Sep 17 00:00:00 2001 From: Derrick Pallas Date: Sat, 9 May 2020 20:31:22 -0700 Subject: [PATCH 6/6] h264_stream: add multiple bounds checks, & fix double-free of sps_subset_table There are a bunch of array writes that take their index from the bitstream but do not check to make sure the index is in-bound. In many of these cases, you'd expect the extra values to exist in the stream, so we still must read them. When fuzzing h256_analize with AFL++, these missing bounds checks frequently cause segfaults & other issues. Tied up in this, there is definitely a double free wrt sps_subset_table & sps_subset, since the existing code was memcpy'ing pointers to arrays between structures. This code copies the contents of the arrays instead. --- h264_stream.c | 169 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 120 insertions(+), 49 deletions(-) diff --git a/h264_stream.c b/h264_stream.c index 8341a82..1be7b2f 100644 --- a/h264_stream.c +++ b/h264_stream.c @@ -220,6 +220,7 @@ int read_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 1 ) { + if (h->sps->seq_parameter_set_id < 0 || h->sps->seq_parameter_set_id >= 32) { bs_free(b); free(rbsp_buf); return -1; } memcpy(h->sps_table[h->sps->seq_parameter_set_id], h->sps, sizeof(sps_t)); } @@ -252,10 +253,12 @@ int read_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 1 ) { - memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); - //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); - //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); - //h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + if (0 <= h->sps_subset->sps->seq_parameter_set_id && h->sps_subset->sps->seq_parameter_set_id < 32) { + //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); + h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + } } break; @@ -428,7 +431,11 @@ void read_seq_parameter_set_rbsp(sps_t* sps, bs_t* b) sps->num_ref_frames_in_pic_order_cnt_cycle = bs_read_ue(b); for( i = 0; i < sps->num_ref_frames_in_pic_order_cnt_cycle; i++ ) { - sps->offset_for_ref_frame[ i ] = bs_read_se(b); + if (i < 256) { + sps->offset_for_ref_frame[ i ] = bs_read_se(b); + } else { + bs_read_se(b); + } } } sps->num_ref_frames = bs_read_ue(b); @@ -675,9 +682,15 @@ void read_hrd_parameters(hrd_t* hrd, bs_t* b) hrd->cpb_size_scale = bs_read_u(b, 4); for( int SchedSelIdx = 0; SchedSelIdx <= hrd->cpb_cnt_minus1; SchedSelIdx++ ) { - hrd->bit_rate_value_minus1[ SchedSelIdx ] = bs_read_ue(b); - hrd->cpb_size_value_minus1[ SchedSelIdx ] = bs_read_ue(b); - hrd->cbr_flag[ SchedSelIdx ] = bs_read_u1(b); + if (SchedSelIdx < 32) { + hrd->bit_rate_value_minus1[ SchedSelIdx ] = bs_read_ue(b); + hrd->cpb_size_value_minus1[ SchedSelIdx ] = bs_read_ue(b); + hrd->cbr_flag[ SchedSelIdx ] = bs_read_u1(b); + } else { + bs_read_ue(b); + bs_read_ue(b); + bs_read_u1(b); + } } hrd->initial_cpb_removal_delay_length_minus1 = bs_read_u(b, 5); hrd->cpb_removal_delay_length_minus1 = bs_read_u(b, 5); @@ -725,7 +738,11 @@ void read_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) { for( int i_group = 0; i_group <= pps->num_slice_groups_minus1; i_group++ ) { - pps->run_length_minus1[ i_group ] = bs_read_ue(b); + if (i_group < 8) { + pps->run_length_minus1[ i_group ] = bs_read_ue(b); + } else { + bs_read_ue(b); + } } } else if( pps->slice_group_map_type == 2 ) @@ -800,7 +817,8 @@ void read_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) if( 1 ) { - memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); + if (0 <= pps->pic_parameter_set_id && pps->pic_parameter_set_id < 256) + memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); } } @@ -976,8 +994,11 @@ void read_slice_header(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_t* sps = h->sps; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); + + if (0 <= sh->pic_parameter_set_id && sh->pic_parameter_set_id < 255) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) + memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); if (sps->residual_colour_transform_flag) { @@ -1250,10 +1271,14 @@ void read_slice_header_in_scalable_extension(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_subset_t* sps_subset = h->sps_subset; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); - //memcpy(h->sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); - //memcpy(h->sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + if (0 <= sh->pic_parameter_set_id && sh->pic_parameter_set_id < 256) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) { + //memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); + memcpy(h->sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); + memcpy(h->sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + h->sps_subset->additional_extension2_flag = h->sps_subset_table[pps->seq_parameter_set_id]->additional_extension2_flag; + } if (sps_subset->sps->residual_colour_transform_flag) { @@ -1551,6 +1576,7 @@ int write_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 0 ) { + if (h->sps->seq_parameter_set_id < 0 || h->sps->seq_parameter_set_id >= 32) { bs_free(b); free(rbsp_buf); return -1; } memcpy(h->sps_table[h->sps->seq_parameter_set_id], h->sps, sizeof(sps_t)); } @@ -1583,10 +1609,12 @@ int write_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 0 ) { - memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); - //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); - //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); - //h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + if (0 <= h->sps_subset->sps->seq_parameter_set_id && h->sps_subset->sps->seq_parameter_set_id < 32) { + //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); + h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + } } break; @@ -2006,9 +2034,11 @@ void write_hrd_parameters(hrd_t* hrd, bs_t* b) bs_write_u(b, 4, hrd->cpb_size_scale); for( int SchedSelIdx = 0; SchedSelIdx <= hrd->cpb_cnt_minus1; SchedSelIdx++ ) { - bs_write_ue(b, hrd->bit_rate_value_minus1[ SchedSelIdx ]); - bs_write_ue(b, hrd->cpb_size_value_minus1[ SchedSelIdx ]); - bs_write_u1(b, hrd->cbr_flag[ SchedSelIdx ]); + if (SchedSelIdx < 32) { + bs_write_ue(b, hrd->bit_rate_value_minus1[ SchedSelIdx ]); + bs_write_ue(b, hrd->cpb_size_value_minus1[ SchedSelIdx ]); + bs_write_u1(b, hrd->cbr_flag[ SchedSelIdx ]); + } } bs_write_u(b, 5, hrd->initial_cpb_removal_delay_length_minus1); bs_write_u(b, 5, hrd->cpb_removal_delay_length_minus1); @@ -2131,7 +2161,8 @@ void write_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) if( 0 ) { - memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); + if (0 <= pps->pic_parameter_set_id && pps->pic_parameter_set_id < 256) + memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); } } @@ -2307,8 +2338,10 @@ void write_slice_header(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_t* sps = h->sps; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); + if (0 <= pps->pic_parameter_set_id && pps->pic_parameter_set_id < 256) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) + memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); if (sps->residual_colour_transform_flag) { @@ -2581,10 +2614,14 @@ void write_slice_header_in_scalable_extension(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_subset_t* sps_subset = h->sps_subset; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); - //memcpy(h->sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); - //memcpy(h->sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + if (0 <= sh->pic_parameter_set_id && sh->pic_parameter_set_id < 256) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) { + //memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); + memcpy(h->sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); + memcpy(h->sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + h->sps_subset->additional_extension2_flag = h->sps_subset_table[pps->seq_parameter_set_id]->additional_extension2_flag; + } if (sps_subset->sps->residual_colour_transform_flag) { @@ -2882,6 +2919,7 @@ int read_debug_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 1 ) { + if (h->sps->seq_parameter_set_id < 0 || h->sps->seq_parameter_set_id >= 32) { bs_free(b); free(rbsp_buf); return -1; } memcpy(h->sps_table[h->sps->seq_parameter_set_id], h->sps, sizeof(sps_t)); } @@ -2914,10 +2952,12 @@ int read_debug_nal_unit(h264_stream_t* h, uint8_t* buf, int size) if( 1 ) { - //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); - memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); - memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); - h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + if (0 <= h->sps_subset->sps->seq_parameter_set_id && h->sps_subset->sps->seq_parameter_set_id < 32) { + //memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id], h->sps_subset, sizeof(sps_subset_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps, h->sps_subset->sps, sizeof(sps_t)); + memcpy(h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->sps_svc_ext, h->sps_subset->sps_svc_ext, sizeof(sps_svc_ext_t)); + h->sps_subset_table[h->sps_subset->sps->seq_parameter_set_id]->additional_extension2_flag = h->sps_subset->additional_extension2_flag; + } } break; @@ -3090,7 +3130,11 @@ void read_debug_seq_parameter_set_rbsp(sps_t* sps, bs_t* b) printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); sps->num_ref_frames_in_pic_order_cnt_cycle = bs_read_ue(b); printf("sps->num_ref_frames_in_pic_order_cnt_cycle: %d \n", sps->num_ref_frames_in_pic_order_cnt_cycle); for( i = 0; i < sps->num_ref_frames_in_pic_order_cnt_cycle; i++ ) { - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); sps->offset_for_ref_frame[ i ] = bs_read_se(b); printf("sps->offset_for_ref_frame[ i ]: %d \n", sps->offset_for_ref_frame[ i ]); + if (i < 256) { + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); sps->offset_for_ref_frame[ i ] = bs_read_se(b); printf("sps->offset_for_ref_frame[ i ]: %d \n", sps->offset_for_ref_frame[ i ]); + } else { + bs_read_se(b); + } } } printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); sps->num_ref_frames = bs_read_ue(b); printf("sps->num_ref_frames: %d \n", sps->num_ref_frames); @@ -3337,9 +3381,15 @@ void read_debug_hrd_parameters(hrd_t* hrd, bs_t* b) printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cpb_size_scale = bs_read_u(b, 4); printf("hrd->cpb_size_scale: %d \n", hrd->cpb_size_scale); for( int SchedSelIdx = 0; SchedSelIdx <= hrd->cpb_cnt_minus1; SchedSelIdx++ ) { - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->bit_rate_value_minus1[ SchedSelIdx ] = bs_read_ue(b); printf("hrd->bit_rate_value_minus1[ SchedSelIdx ]: %d \n", hrd->bit_rate_value_minus1[ SchedSelIdx ]); - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cpb_size_value_minus1[ SchedSelIdx ] = bs_read_ue(b); printf("hrd->cpb_size_value_minus1[ SchedSelIdx ]: %d \n", hrd->cpb_size_value_minus1[ SchedSelIdx ]); - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cbr_flag[ SchedSelIdx ] = bs_read_u1(b); printf("hrd->cbr_flag[ SchedSelIdx ]: %d \n", hrd->cbr_flag[ SchedSelIdx ]); + if (SchedSelIdx < 32) { + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->bit_rate_value_minus1[ SchedSelIdx ] = bs_read_ue(b); printf("hrd->bit_rate_value_minus1[ SchedSelIdx ]: %d \n", hrd->bit_rate_value_minus1[ SchedSelIdx ]); + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cpb_size_value_minus1[ SchedSelIdx ] = bs_read_ue(b); printf("hrd->cpb_size_value_minus1[ SchedSelIdx ]: %d \n", hrd->cpb_size_value_minus1[ SchedSelIdx ]); + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cbr_flag[ SchedSelIdx ] = bs_read_u1(b); printf("hrd->cbr_flag[ SchedSelIdx ]: %d \n", hrd->cbr_flag[ SchedSelIdx ]); + } else { + bs_read_ue(b); + bs_read_ue(b); + bs_read_u1(b); + } } printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->initial_cpb_removal_delay_length_minus1 = bs_read_u(b, 5); printf("hrd->initial_cpb_removal_delay_length_minus1: %d \n", hrd->initial_cpb_removal_delay_length_minus1); printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); hrd->cpb_removal_delay_length_minus1 = bs_read_u(b, 5); printf("hrd->cpb_removal_delay_length_minus1: %d \n", hrd->cpb_removal_delay_length_minus1); @@ -3387,15 +3437,24 @@ void read_debug_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) { for( int i_group = 0; i_group <= pps->num_slice_groups_minus1; i_group++ ) { - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->run_length_minus1[ i_group ] = bs_read_ue(b); printf("pps->run_length_minus1[ i_group ]: %d \n", pps->run_length_minus1[ i_group ]); + if (i_group < 8) { + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->run_length_minus1[ i_group ] = bs_read_ue(b); printf("pps->run_length_minus1[ i_group ]: %d \n", pps->run_length_minus1[ i_group ]); + } else { + bs_read_ue(b); + } } } else if( pps->slice_group_map_type == 2 ) { for( int i_group = 0; i_group < pps->num_slice_groups_minus1; i_group++ ) { - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->top_left[ i_group ] = bs_read_ue(b); printf("pps->top_left[ i_group ]: %d \n", pps->top_left[ i_group ]); - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->bottom_right[ i_group ] = bs_read_ue(b); printf("pps->bottom_right[ i_group ]: %d \n", pps->bottom_right[ i_group ]); + if (0 <= i_group && i_group < 8) { + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->top_left[ i_group ] = bs_read_ue(b); printf("pps->top_left[ i_group ]: %d \n", pps->top_left[ i_group ]); + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->bottom_right[ i_group ] = bs_read_ue(b); printf("pps->bottom_right[ i_group ]: %d \n", pps->bottom_right[ i_group ]); + } else { + bs_read_ue(b); + bs_read_ue(b); + } } } else if( pps->slice_group_map_type == 3 || @@ -3411,7 +3470,11 @@ void read_debug_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) for( int i = 0; i <= pps->pic_size_in_map_units_minus1; i++ ) { int v = intlog2( pps->num_slice_groups_minus1 + 1 ); - printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->slice_group_id[ i ] = bs_read_u(b, v); printf("pps->slice_group_id[ i ]: %d \n", pps->slice_group_id[ i ]); + if (0 <= i && i < 256) { + printf("%ld.%d: ", (long int)(b->p - b->start), b->bits_left); pps->slice_group_id[ i ] = bs_read_u(b, v); printf("pps->slice_group_id[ i ]: %d \n", pps->slice_group_id[ i ]); + } else { + bs_read_u(b, v); + } } } } @@ -3462,7 +3525,8 @@ void read_debug_pic_parameter_set_rbsp(h264_stream_t* h, bs_t* b) if( 1 ) { - memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); + if (0 <= pps->pic_parameter_set_id && pps->pic_parameter_set_id < 256) + memcpy(h->pps_table[pps->pic_parameter_set_id], h->pps, sizeof(pps_t)); } } @@ -3646,8 +3710,11 @@ void read_debug_slice_header(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_t* sps = h->sps; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); + + if (0 <= sh->pic_parameter_set_id && sh->pic_parameter_set_id < 255) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) + memcpy(h->sps, h->sps_table[pps->seq_parameter_set_id], sizeof(sps_t)); if (sps->residual_colour_transform_flag) { @@ -3920,10 +3987,14 @@ void read_debug_slice_header_in_scalable_extension(h264_stream_t* h, bs_t* b) // TODO check existence, otherwise fail pps_t* pps = h->pps; sps_subset_t* sps_subset = h->sps_subset; - memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); - //memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); - memcpy(sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); - memcpy(sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + if (0 <= sh->pic_parameter_set_id && sh->pic_parameter_set_id < 256) + memcpy(h->pps, h->pps_table[sh->pic_parameter_set_id], sizeof(pps_t)); + if (0 <= pps->seq_parameter_set_id && pps->seq_parameter_set_id < 32) { + //memcpy(sps_subset, h->sps_subset_table[pps->seq_parameter_set_id], sizeof(sps_subset_t)); + memcpy(sps_subset->sps, h->sps_subset_table[pps->seq_parameter_set_id]->sps, sizeof(sps_t)); + memcpy(sps_subset->sps_svc_ext, h->sps_subset_table[pps->seq_parameter_set_id]->sps_svc_ext, sizeof(sps_svc_ext_t)); + sps_subset->additional_extension2_flag = h->sps_subset_table[pps->seq_parameter_set_id]->additional_extension2_flag; + } if (sps_subset->sps->residual_colour_transform_flag) {