h264: Lower bound check for slice offsets

And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Vittorio Giovara 2014-02-20 02:38:32 +01:00 committed by Luca Barbato
parent 5c79d2e12d
commit f777504f64
2 changed files with 14 additions and 12 deletions

View File

@ -3840,8 +3840,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
get_se_golomb(&h->gb); /* slice_qs_delta */
h->deblocking_filter = 1;
h->slice_alpha_c0_offset = 52;
h->slice_beta_offset = 52;
h->slice_alpha_c0_offset = 0;
h->slice_beta_offset = 0;
if (h->pps.deblocking_filter_parameters_present) {
tmp = get_ue_golomb_31(&h->gb);
if (tmp > 2) {
@ -3854,10 +3854,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->deblocking_filter ^= 1; // 1<->0
if (h->deblocking_filter) {
h->slice_alpha_c0_offset += get_se_golomb(&h->gb) << 1;
h->slice_beta_offset += get_se_golomb(&h->gb) << 1;
if (h->slice_alpha_c0_offset > 104U ||
h->slice_beta_offset > 104U) {
h->slice_alpha_c0_offset = get_se_golomb(&h->gb) * 2;
h->slice_beta_offset = get_se_golomb(&h->gb) * 2;
if (h->slice_alpha_c0_offset > 12 ||
h->slice_alpha_c0_offset < -12 ||
h->slice_beta_offset > 12 ||
h->slice_beta_offset < -12) {
av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
h->slice_alpha_c0_offset, h->slice_beta_offset);
@ -3894,7 +3896,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
}
}
}
h->qp_thresh = 15 + 52 -
h->qp_thresh = 15 +
FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
FFMAX3(0,
h->pps.chroma_qp_index_offset[0],
@ -3956,7 +3958,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->ref_count[0], h->ref_count[1],
h->qscale,
h->deblocking_filter,
h->slice_alpha_c0_offset / 2 - 26, h->slice_beta_offset / 2 - 26,
h->slice_alpha_c0_offset, h->slice_beta_offset,
h->use_weight,
h->use_weight == 1 && h->use_weight_chroma ? "c" : "",
h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : "");

View File

@ -252,8 +252,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
int top_type= h->top_type;
int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
int a = h->slice_alpha_c0_offset - qp_bd_offset;
int b = h->slice_beta_offset - qp_bd_offset;
int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
int b = 52 + h->slice_beta_offset - qp_bd_offset;
int mb_type = h->cur_pic.mb_type[mb_xy];
int qp = h->cur_pic.qscale_table[mb_xy];
@ -707,8 +707,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
av_unused int dir;
int chroma = !(CONFIG_GRAY && (h->flags&CODEC_FLAG_GRAY));
int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
int a = h->slice_alpha_c0_offset - qp_bd_offset;
int b = h->slice_beta_offset - qp_bd_offset;
int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
int b = 52 + h->slice_beta_offset - qp_bd_offset;
if (FRAME_MBAFF(h)
// and current and left pair do not have the same interlaced type