[FFmpeg-devel] [PATCH 4/5] avformat: add moflex demuxer

Paul B Mahol onemda at gmail.com
Thu Sep 3 12:00:54 EEST 2020


On 9/3/20, Andreas Rheinhardt <andreas.rheinhardt at gmail.com> wrote:
> Paul B Mahol:
>> Signed-off-by: Paul B Mahol <onemda at gmail.com>
>> ---
>>  libavformat/Makefile     |   1 +
>>  libavformat/allformats.c |   1 +
>>  libavformat/moflex.c     | 360 +++++++++++++++++++++++++++++++++++++++
>>  3 files changed, 362 insertions(+)
>>  create mode 100644 libavformat/moflex.c
>>
>> diff --git a/libavformat/Makefile b/libavformat/Makefile
>> index cbb33fe37c..1e0ac317e5 100644
>> --- a/libavformat/Makefile
>> +++ b/libavformat/Makefile
>> @@ -319,6 +319,7 @@ OBJS-$(CONFIG_MLV_DEMUXER)               += mlvdec.o
>> riffdec.o
>>  OBJS-$(CONFIG_MM_DEMUXER)                += mm.o
>>  OBJS-$(CONFIG_MMF_DEMUXER)               += mmf.o
>>  OBJS-$(CONFIG_MMF_MUXER)                 += mmf.o rawenc.o
>> +OBJS-$(CONFIG_MOFLEX_DEMUXER)            += moflex.o
>>  OBJS-$(CONFIG_MOV_DEMUXER)               += mov.o mov_chan.o mov_esds.o
>> replaygain.o
>>  OBJS-$(CONFIG_MOV_MUXER)                 += movenc.o av1.o avc.o hevc.o
>> vpcc.o \
>>                                              movenchint.o mov_chan.o rtp.o
>> \
>> diff --git a/libavformat/allformats.c b/libavformat/allformats.c
>> index 0aa9dd7198..28331facb9 100644
>> --- a/libavformat/allformats.c
>> +++ b/libavformat/allformats.c
>> @@ -249,6 +249,7 @@ extern AVInputFormat  ff_mlv_demuxer;
>>  extern AVInputFormat  ff_mm_demuxer;
>>  extern AVInputFormat  ff_mmf_demuxer;
>>  extern AVOutputFormat ff_mmf_muxer;
>> +extern AVInputFormat  ff_moflex_demuxer;
>>  extern AVInputFormat  ff_mov_demuxer;
>>  extern AVOutputFormat ff_mov_muxer;
>>  extern AVOutputFormat ff_mp2_muxer;
>> diff --git a/libavformat/moflex.c b/libavformat/moflex.c
>> new file mode 100644
>> index 0000000000..989623396f
>> --- /dev/null
>> +++ b/libavformat/moflex.c
>> @@ -0,0 +1,360 @@
>> +/*
>> + * MOFLEX demuxer
>> + * Copyright (c) 2020 Paul B Mahol
>> + *
>> + * This file is part of FFmpeg.
>> + *
>> + * FFmpeg is free software; you can redistribute it and/or
>> + * modify it under the terms of the GNU Lesser General Public
>> + * License as published by the Free Software Foundation; either
>> + * version 2.1 of the License, or (at your option) any later version.
>> + *
>> + * FFmpeg is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> + * Lesser General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU Lesser General Public
>> + * License along with FFmpeg; if not, write to the Free Software
>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> 02110-1301 USA
>> + */
>> +
>> +#include "libavcodec/bytestream.h"
>> +
>> +#include "avformat.h"
>> +#include "internal.h"
>> +
>> +typedef struct BitReader {
>> +    unsigned last;
>> +    unsigned pos;
>> +} BitReader;
>> +
>> +typedef struct MOFLEXDemuxContext {
>> +    unsigned size;
>> +    int64_t pos;
>> +    int64_t ts;
>> +    int flags;
>> +    int in_block;
>> +
>> +    BitReader br;
>> +} MOFLEXDemuxContext;
>> +
>> +static int pop(BitReader *br, AVIOContext *pb)
>> +{
>> +    if (avio_feof(pb))
>> +        return AVERROR_EOF;
>> +
>> +    if ((br->pos & 7) == 0)
>> +        br->last = (unsigned)avio_r8(pb) << 24U;
>> +    else
>> +        br->last <<= 1;
>> +
>> +    br->pos++;
>> +    return !!(br->last & 0x80000000);
>> +}
>> +
>> +static int pop_int(BitReader *br, AVIOContext *pb, int n)
>> +{
>> +    int value = 0;
>> +
>> +    for (int i = 0; i < n; i++) {
>> +        int ret = pop(br, pb);
>> +
>> +        if (ret < 0)
>> +            return ret;
>> +        value = 2 * value + ret;
>> +    }
>> +
>> +    return value;
>> +}
>> +
>> +static int pop_length(BitReader *br, AVIOContext *pb)
>> +{
>> +    int ret, n = 1;
>> +
>> +    while ((ret = pop(br, pb)) == 0)
>> +        n++;
>> +
>> +    if (ret < 0)
>> +        return ret;
>> +    return n;
>> +}
>> +
>> +static int read_var_byte(AVFormatContext *s, unsigned *out)
>> +{
>> +    AVIOContext *pb = s->pb;
>> +    unsigned value = 0, data;
>> +
>> +    data = avio_r8(pb);
>> +    if (!(data & 0x80)) {
>> +        *out = data;
>> +        return 0;
>> +    }
>> +
>> +    value = (data & 0x7F) << 7;
>> +    data = avio_r8(pb);
>> +    if (!(data & 0x80)) {
>> +        value |= data;
>> +        *out = value;
>> +        return 0;
>> +    }
>> +
>> +    value = ((data & 0x7F) | value) << 7;
>> +    data = avio_r8(pb);
>> +    if (!(data & 0x80)) {
>> +        value |= data;
>> +        *out = value;
>> +        return 0;
>> +    }
>> +
>> +    value = (((data & 0x7F) | value) << 7) | avio_r8(pb);
>> +    *out = value;
>> +
>> +    return 0;
>> +}
>> +
>> +static int moflex_probe(const AVProbeData *p)
>> +{
>> +    GetByteContext gb;
>> +    int score = 0;
>> +
>> +    bytestream2_init(&gb, p->buf, p->buf_size);
>> +
>> +    if (bytestream2_get_be16(&gb) != 0x4C32)
>> +        return 0;
>> +    score += 10;
>> +
>> +    bytestream2_skip(&gb, 10);
>> +    if (bytestream2_get_be16(&gb) == 0)
>> +        return 0;
>> +    score += 5;
>> +
>> +    while (bytestream2_get_bytes_left(&gb) > 0) {
>> +        int type = bytestream2_get_byte(&gb);
>> +        int size = bytestream2_get_byte(&gb);
>> +
>> +        if (type == 0) {
>> +            score += 5 * (size == 0);
>> +            break;
>> +        }
>> +        if ((type == 1 && size == 12) ||
>> +            (type == 2 && size ==  6) ||
>> +            (type == 3 && size == 13) ||
>> +            (type == 4 && size ==  2))
>> +            score += 20;
>> +        bytestream2_skip(&gb, size);
>> +    }
>> +
>> +    return FFMIN(AVPROBE_SCORE_MAX, score);
>> +}
>> +
>> +static int moflex_read_sync(AVFormatContext *s)
>> +{
>> +    MOFLEXDemuxContext *m = s->priv_data;
>> +    AVIOContext *pb = s->pb;
>> +
>> +    if (avio_rb16(pb) != 0x4C32) {
>> +        if (avio_feof(pb))
>> +            return AVERROR_EOF;
>> +        avio_seek(pb, -2, SEEK_CUR);
>> +        return 1;
>> +    }
>> +
>> +    avio_skip(pb, 2);
>> +    m->ts = avio_rb64(pb);
>> +    m->size = avio_rb16(pb) + 1;
>> +
>> +    while (!avio_feof(pb)) {
>> +        unsigned type, ssize, codec_id = 0;
>> +        unsigned codec_type, width = 0, height = 0, sample_rate = 0,
>> channels = 0;
>> +        int stream_index = -1;
>> +        int format;
>> +        AVRational fps;
>> +
>> +        read_var_byte(s, &type);
>> +        read_var_byte(s, &ssize);
>> +
>> +        switch (type) {
>> +        case 0:
>> +            if (ssize > 0)
>> +                avio_skip(pb, ssize);
>> +            return 0;
>> +        case 2:
>> +            codec_type = AVMEDIA_TYPE_AUDIO;
>> +            stream_index = avio_r8(pb);
>> +            codec_id = avio_r8(pb);
>> +            switch (codec_id) {
>> +            case 0: codec_id = AV_CODEC_ID_FASTAUDIO; break;
>> +            case 1: codec_id = AV_CODEC_ID_ADPCM_IMA_MOFLEX; break;
>> +            case 2: codec_id = AV_CODEC_ID_PCM_S16LE; break;
>> +            default:
>> +                av_log(s, AV_LOG_ERROR, "Unsupported audio codec: %d\n",
>> codec_id);
>> +                return AVERROR_PATCHWELCOME;
>> +            }
>> +            sample_rate = avio_rb24(pb) + 1;
>> +            channels = avio_r8(pb) + 1;
>> +            break;
>> +        case 1:
>> +        case 3:
>> +            codec_type = AVMEDIA_TYPE_VIDEO;
>> +            stream_index = avio_r8(pb);
>> +            codec_id = avio_r8(pb);
>> +            switch (codec_id) {
>> +            case 0: codec_id = AV_CODEC_ID_MOBICLIP; break;
>> +            default:
>> +                av_log(s, AV_LOG_ERROR, "Unsupported video codec: %d\n",
>> codec_id);
>> +                return AVERROR_PATCHWELCOME;
>> +            }
>> +            fps.num = avio_rb16(pb);
>> +            fps.den = avio_rb16(pb);
>> +            width = avio_rb16(pb);
>> +            height = avio_rb16(pb);
>> +            format = AV_PIX_FMT_YUV420P;
>> +            avio_skip(pb, type == 3 ? 3 : 2);
>> +            break;
>> +        case 4:
>> +            codec_type = AVMEDIA_TYPE_DATA;
>> +            stream_index = avio_r8(pb);
>> +            avio_skip(pb, 1);
>> +            break;
>> +        }
>> +
>> +        if (stream_index == s->nb_streams) {
>> +            AVStream *st = avformat_new_stream(s, NULL);
>> +
>> +            if (!st)
>> +                return AVERROR(ENOMEM);
>> +
>> +            st->codecpar->codec_type = codec_type;
>> +            st->codecpar->codec_id   = codec_id;
>> +            st->codecpar->width      = width;
>> +            st->codecpar->height     = height;
>> +            st->codecpar->sample_rate= sample_rate;
>> +            st->codecpar->channels   = channels;
>> +            st->codecpar->format     = format;
>> +            st->priv_data            = av_packet_alloc();
>> +            if (!st->priv_data)
>> +                return AVERROR(ENOMEM);
>
> If this allocation fails when reading a packet, you end up with a stream
> without priv_data. If the caller decides to call av_read_frame() again,
> you can get a segfault, because the code for reading a packet presumes
> every stream to have an AVPacket as priv_data.

No this is huge libavformat bug. NULL pointer dereference when appending packet.

>
>> +
>> +            if (sample_rate)
>> +                avpriv_set_pts_info(st, 63, 1, sample_rate);
>> +            else
>> +                avpriv_set_pts_info(st, 63, fps.den, fps.num);
>> +        }
>> +    }
>> +
>> +    return 0;
>> +}
>> +
>> +static int moflex_read_header(AVFormatContext *s)
>> +{
>> +    int ret;
>> +
>> +    ret = moflex_read_sync(s);
>> +    if (ret < 0)
>> +        return ret;
>> +
>> +    s->ctx_flags |= AVFMTCTX_NOHEADER;
>> +    avio_seek(s->pb, 0, SEEK_SET);
>> +
>> +    return 0;
>> +}
>> +
>> +static int moflex_read_packet(AVFormatContext *s, AVPacket *pkt)
>> +{
>> +    MOFLEXDemuxContext *m = s->priv_data;
>> +    AVIOContext *pb = s->pb;
>> +    BitReader *br = &m->br;
>> +    int ret;
>> +
>> +    while (!avio_feof(pb)) {
>> +        if (!m->in_block) {
>> +            m->pos = avio_tell(pb);
>> +
>> +            ret = moflex_read_sync(s);
>> +            if (ret < 0)
>> +                return ret;
>> +
>> +            m->flags = avio_r8(pb);
>> +            if (m->flags & 2)
>> +                avio_skip(pb, 2);
>> +        }
>> +
>> +        while ((avio_tell(pb) < m->pos + m->size) && !avio_feof(pb) &&
>> avio_r8(pb)) {
>> +            int stream_index, bits, pkt_size, endframe;
>> +            AVPacket *packet;
>> +
>> +            m->in_block = 1;
>> +
>> +            avio_seek(pb, -1, SEEK_CUR);
>> +            br->pos = br->last = 0;
>> +
>> +            bits = pop_length(br, pb);
>> +            if (bits < 0)
>> +                return bits;
>> +            stream_index = pop_int(br, pb, bits);
>> +            if (stream_index < 0)
>> +                return stream_index;
>> +            if (stream_index >= s->nb_streams)
>> +                return AVERROR_INVALIDDATA;
>> +
>> +            endframe = pop(br, pb);
>> +            if (endframe < 0)
>> +                return endframe;
>> +            if (endframe) {
>> +                bits = pop_length(br, pb);
>> +                if (bits < 0)
>> +                    return bits;
>> +                pop_int(br, pb, bits);
>> +                pop(br, pb);
>> +                bits = pop_length(br, pb);
>> +                if (bits < 0)
>> +                    return bits;
>> +                pop_int(br, pb, bits * 2 + 26);
>> +            }
>> +
>> +            pkt_size = pop_int(br, pb, 13) + 1;
>> +            packet   = s->streams[stream_index]->priv_data;
>> +
>> +            ret = av_append_packet(pb, packet, pkt_size);
>> +            if (endframe) {
>> +                av_packet_move_ref(pkt, packet);
>> +                pkt->pos = m->pos;
>> +                pkt->stream_index = stream_index;
>> +                pkt->flags |= AV_PKT_FLAG_KEY;
>> +                return ret;
>> +            }
>> +        }
>> +
>> +        m->in_block = 0;
>> +
>> +        if (m->flags % 2 == 0)
>> +            avio_seek(pb, m->pos + m->size, SEEK_SET);
>> +    }
>> +
>> +    return AVERROR_EOF;
>> +}
>> +
>> +static int moflex_read_close(AVFormatContext *s)
>> +{
>> +    for (int i = 0; i < s->nb_streams; i++) {
>> +        AVPacket *packet = s->streams[i]->priv_data;
>> +
>> +        av_packet_free(&packet);
>> +        s->streams[i]->priv_data = 0;
>> +    }
>> +
>> +    return 0;
>> +}
>> +
>> +AVInputFormat ff_moflex_demuxer = {
>> +    .name           = "moflex",
>> +    .long_name      = NULL_IF_CONFIG_SMALL("MobiClip MOFLEX"),
>> +    .priv_data_size = sizeof(MOFLEXDemuxContext),
>> +    .read_probe     = moflex_probe,
>> +    .read_header    = moflex_read_header,
>> +    .read_packet    = moflex_read_packet,
>> +    .read_close     = moflex_read_close,
>> +    .extensions     = "moflex",
>> +    .flags          = AVFMT_GENERIC_INDEX,
>> +};
>>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".


More information about the ffmpeg-devel mailing list