[FFmpeg-devel] [PATCH] lavc/vvc: Check slice structure

Frank Plowman post at frankplowman.com
Fri Jan 10 23:29:07 EET 2025 

The criteria for slice structure validity is similar to that of
subpicture structure validity that we saw not too long ago [1].
The relationship between tiles and slices must satisfy the following
properties:

* Exhaustivity.  All tiles in a picture must belong to a slice.  The
  tiles cover the picture, so this implies the slices must cover the
  picture.
* Mutual exclusivity.  No tile may belong to more than one slice, i.e.
  slices may not overlap.

In most cases these properties are guaranteed by the syntax.  There is
one noticable exception however: when pps_tile_idx_delta_present_flag is
equal to one, each slice is associated with a syntax element
pps_tile_idx_delta_val[i] which "specifies the difference between the
tile index of the tile containing the first CTU in the ( i + 1 )-th
rectangular slice and the tile index of the tile containing the first
CTU in the i-th rectangular slice" [2].  When these syntax elements are
present, the i-th slice can begin anywhere and the usual guarantees
provided by the syntax are lost.

The patch detects slice structures which violate either of the two
properties above, and are therefore invalid, while building the
slice map.  Should the slice map be determined to be invalid, an
AVERROR_INVALIDDATA is returned.  This prevents issues including
segmentation faults when trying to decode,  invalid bitstreams.

[1]: https://ffmpeg.org//pipermail/ffmpeg-devel/2024-October/334470.html
[2]: H.266 (V3) Section 7.4.3.5, Picture parameter set RBSP semantics

Signed-off-by: Frank Plowman <post at frankplowman.com>
---
 libavcodec/vvc/ps.c | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
index a5cf1d74bd..13f1cf02dd 100644
--- a/libavcodec/vvc/ps.c
+++ b/libavcodec/vvc/ps.c
@@ -460,7 +460,7 @@ static int pps_one_tile_slices(VVCPPS *pps, const int tile_idx, int i, int *off)
     return i;
 }
 
-static void pps_multi_tiles_slice(VVCPPS *pps, const int tile_idx, const int i, int *off)
+static int pps_multi_tiles_slice(VVCPPS *pps, int tile_idx, const int i, int *off, int *tile_in_slice)
 {
     const H266RawPPS *r = pps->r;
     int rx, ry, tile_x, tile_y;
@@ -470,32 +470,53 @@ static void pps_multi_tiles_slice(VVCPPS *pps, const int tile_idx, const int i,
     pps->num_ctus_in_slice[i] = 0;
     for (int ty = tile_y; ty <= tile_y + r->pps_slice_height_in_tiles_minus1[i]; ty++) {
         for (int tx = tile_x; tx <= tile_x + r->pps_slice_width_in_tiles_minus1[i]; tx++) {
+            tile_idx = ty * r->num_tile_columns + tx;
+            if (tile_in_slice[tile_idx])
+                return AVERROR_INVALIDDATA;
+            tile_in_slice[tile_idx] = 1;
             ctu_xy(&rx, &ry, tx, ty, pps);
             pps->num_ctus_in_slice[i] += pps_add_ctus(pps, off, rx, ry,
                 r->col_width_val[tx], r->row_height_val[ty]);
         }
     }
+
+    return 0;
 }
 
-static void pps_rect_slice(VVCPPS *pps, const VVCSPS *sps)
+static int pps_rect_slice(VVCPPS *pps, const VVCSPS *sps)
 {
     const H266RawPPS *r = pps->r;
+    int tile_in_slice[VVC_MAX_TILES_PER_AU] = {0};
     int tile_idx = 0, off = 0;
+    int ret;
 
     if (r->pps_single_slice_per_subpic_flag) {
         pps_single_slice_per_subpic(pps, sps, &off);
-        return;
+        return 0;
     }
 
     for (int i = 0; i < r->pps_num_slices_in_pic_minus1 + 1; i++) {
         if (!r->pps_slice_width_in_tiles_minus1[i] &&
             !r->pps_slice_height_in_tiles_minus1[i]) {
+            if (tile_in_slice[tile_idx]) {
+                return AVERROR_INVALIDDATA;
+            }
             i = pps_one_tile_slices(pps, tile_idx, i, &off);
+            tile_in_slice[tile_idx] = 1;
         } else {
-            pps_multi_tiles_slice(pps, tile_idx, i, &off);
+            ret = pps_multi_tiles_slice(pps, tile_idx, i, &off, tile_in_slice);
+            if (ret < 0)
+                return ret;
         }
         tile_idx = next_tile_idx(tile_idx, i, r);
     }
+
+    for (int i = 0; i < r->num_tiles_in_pic; i++) {
+        if (!tile_in_slice[i])
+            return AVERROR_INVALIDDATA;
+    }
+
+    return 0;
 }
 
 static void pps_no_rect_slice(VVCPPS* pps)
@@ -513,13 +534,17 @@ static void pps_no_rect_slice(VVCPPS* pps)
 
 static int pps_slice_map(VVCPPS *pps, const VVCSPS *sps)
 {
+    int ret;
+
     pps->ctb_addr_in_slice = av_calloc(pps->ctb_count, sizeof(*pps->ctb_addr_in_slice));
     if (!pps->ctb_addr_in_slice)
         return AVERROR(ENOMEM);
 
-    if (pps->r->pps_rect_slice_flag)
-        pps_rect_slice(pps, sps);
-    else
+    if (pps->r->pps_rect_slice_flag) {
+        ret = pps_rect_slice(pps, sps);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
+    } else
         pps_no_rect_slice(pps);
 
     return 0;
-- 
2.47.0

More information about the ffmpeg-devel mailing list