shithub: libvpx

Download patch

ref: 943e43273b0a7369d07714e7fd2e19fecfb11c7c
parent: 1a01194ab548ca9b5d7dbbdc2350d4c06f54e6d4
author: Jim Bankoski <[email protected]>
date: Thu Jul 17 02:31:50 EDT 2014 

allow config options to limit max size of decode

This is a practical concern to allow us to fail in a decoder instance
if the size of a file is bigger than we can reasonably handle.

Change-Id: I0446b5502b1f8a48408107648ff2a8d187dca393


--- a/build/make/configure.sh
+++ b/build/make/configure.sh
@@ -485,6 +485,7 @@
     print_config_h ARCH   "${TMP_H}" ${ARCH_LIST}
     print_config_h HAVE   "${TMP_H}" ${HAVE_LIST}
     print_config_h CONFIG "${TMP_H}" ${CONFIG_LIST}
+    print_config_vars_h   "${TMP_H}" ${VAR_LIST}
     echo "#endif /* VPX_CONFIG_H */" >> ${TMP_H}
     mkdir -p `dirname "$1"`
     cmp "$1" ${TMP_H} >/dev/null 2>&1 || mv ${TMP_H} "$1"
@@ -550,6 +551,15 @@
             || die "Must be yasm, nasm or auto: ${optval}"
         alt_as="${optval}"
         ;;
+        --size-limit=*)
+        w="${optval%%x*}"
+        h="${optval##*x}"
+        VAR_LIST="DECODE_WIDTH_LIMIT ${w} DECODE_HEIGHT_LIMIT ${h}"
+        [ ${w} -gt 0 -a ${h} -gt 0 ] || die "Invalid size-limit: too small."
+        [ ${w} -lt 65536 -a ${h} -lt 65536 ] \
+            || die "Invalid size-limit: too big."
+        enable_feature size_limit
+        ;;
         --prefix=*)
         prefix="${optval}"
         ;;
@@ -1321,6 +1331,16 @@
         else
             echo "#define ${prefix}_${upname} 0" >> $header
         fi
+    done
+}
+
+print_config_vars_h() {
+    local header=$1
+    shift
+    while [ $# -gt 0 ]; do
+        upname="`toupper $1`"
+        echo "#define ${upname} $2" >> $header
+        shift 2
     done
 }
 
--- a/configure
+++ b/configure
@@ -26,6 +26,7 @@
   ${toggle_unit_tests}            unit tests
   ${toggle_decode_perf_tests}     build decoder perf tests with unit tests
   --libc=PATH                     path to alternate libc
+  --size-limit=WxH                max size to allow in the decoder
   --as={yasm|nasm|auto}           use specified assembler [auto, yasm preferred]
   --sdk-path=PATH                 path to root of sdk (android builds only)
   ${toggle_fast_unaligned}        don't use unaligned accesses, even when
@@ -327,6 +328,7 @@
     multi_res_encoding
     temporal_denoising
     experimental
+    size_limit
     ${EXPERIMENT_LIST}
 "
 CMDLINE_SELECT="
@@ -352,6 +354,7 @@
     docs
     libc
     as
+    size_limit
     fast_unaligned
     codec_srcs
     debug_libs
--- a/test/encode_test_driver.cc
+++ b/test/encode_test_driver.cc
@@ -177,7 +177,10 @@
             if (decoder && DoDecode()) {
               vpx_codec_err_t res_dec = decoder->DecodeFrame(
                   (const uint8_t*)pkt->data.frame.buf, pkt->data.frame.sz);
-              ASSERT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError();
+
+              if (!HandleDecodeResult(res_dec, *video, decoder))
+                break;
+
               has_dxdata = true;
             }
             ASSERT_GE(pkt->data.frame.pts, last_pts_);
--- a/test/encode_test_driver.h
+++ b/test/encode_test_driver.h
@@ -221,6 +221,14 @@
   virtual void DecompressedFrameHook(const vpx_image_t& img,
                                      vpx_codec_pts_t pts) {}
 
+  // Hook to be called to handle decode result. Return true to continue.
+  virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec,
+                                  const VideoSource& /* video */,
+                                  Decoder *decoder) {
+    EXPECT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError();
+    return VPX_CODEC_OK == res_dec;
+  }
+
   // Hook that can modify the encoder's output data
   virtual const vpx_codec_cx_pkt_t * MutateEncoderOutputHook(
       const vpx_codec_cx_pkt_t *pkt) {
--- /dev/null
+++ b/test/frame_size_tests.cc
@@ -1,0 +1,98 @@
+/*
+ *  Copyright (c) 2014 The WebM project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include <climits>
+#include <vector>
+#include "third_party/googletest/src/include/gtest/gtest.h"
+#include "test/codec_factory.h"
+#include "test/encode_test_driver.h"
+#include "test/i420_video_source.h"
+#include "test/util.h"
+
+namespace {
+
+class VP9FrameSizeTestsLarge
+    : public ::libvpx_test::EncoderTest,
+      public ::testing::Test {
+ protected:
+  VP9FrameSizeTestsLarge() : EncoderTest(&::libvpx_test::kVP9),
+                             expected_res_(VPX_CODEC_OK) {}
+  virtual ~VP9FrameSizeTestsLarge() {}
+
+  virtual void SetUp() {
+    InitializeConfig();
+    SetMode(::libvpx_test::kRealTime);
+  }
+
+  virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec,
+                                  const libvpx_test::VideoSource &video,
+                                  libvpx_test::Decoder *decoder) {
+    EXPECT_EQ(expected_res_, res_dec)
+        << "Expected " << expected_res_
+        << "but got " << res_dec;
+
+    return !::testing::Test::HasFailure();
+  }
+
+  virtual void PreEncodeFrameHook(::libvpx_test::VideoSource *video,
+                                  ::libvpx_test::Encoder *encoder) {
+    if (video->frame() == 1) {
+      encoder->Control(VP8E_SET_CPUUSED, 7);
+      encoder->Control(VP8E_SET_ENABLEAUTOALTREF, 1);
+      encoder->Control(VP8E_SET_ARNR_MAXFRAMES, 7);
+      encoder->Control(VP8E_SET_ARNR_STRENGTH, 5);
+      encoder->Control(VP8E_SET_ARNR_TYPE, 3);
+    }
+  }
+
+  int expected_res_;
+};
+
+TEST_F(VP9FrameSizeTestsLarge, TestInvalidSizes) {
+  ::libvpx_test::RandomVideoSource video;
+
+#if CONFIG_SIZE_LIMIT
+  video.SetSize(DECODE_WIDTH_LIMIT + 16, DECODE_HEIGHT_LIMIT + 16);
+  video.set_limit(2);
+  expected_res_ = VPX_CODEC_CORRUPT_FRAME;
+  ASSERT_NO_FATAL_FAILURE(RunLoop(&video));
+#else
+  // If we are on a 32 bit platform we can't possibly allocate enough memory
+  // for the largest video frame size (64kx64k). This test checks that we
+  // properly return a memory error.
+  if (sizeof(size_t) == 4) {
+    video.SetSize(65535, 65535);
+    video.set_limit(2);
+    expected_res_ = VPX_CODEC_MEM_ERROR;
+    ASSERT_NO_FATAL_FAILURE(RunLoop(&video));
+  }
+#endif
+}
+
+TEST_F(VP9FrameSizeTestsLarge, ValidSizes) {
+  ::libvpx_test::RandomVideoSource video;
+
+#if CONFIG_SIZE_LIMIT
+  video.SetSize(DECODE_WIDTH_LIMIT, DECODE_HEIGHT_LIMIT);
+  video.set_limit(2);
+  expected_res_ = VPX_CODEC_OK;
+  ASSERT_NO_FATAL_FAILURE(RunLoop(&video));
+#else
+  // This test produces a pretty large single frame allocation,  (roughly
+  // 25 megabits). The encoder allocates a good number of these frames
+  // one for each lag in frames (for 2 pass), and then one for each possible
+  // reference buffer (8) - we can end up with up to 30 buffers of roughly this
+  // size or almost 1 gig of memory.
+  video.SetSize(4096, 4096);
+  video.set_limit(2);
+  expected_res_ = VPX_CODEC_OK;
+  ASSERT_NO_FATAL_FAILURE(RunLoop(&video));
+#endif
+}
+}  // namespace
--- a/test/test.mk
+++ b/test/test.mk
@@ -34,6 +34,7 @@
 LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += active_map_test.cc
 LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += borders_test.cc
 LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += cpu_speed_test.cc
+LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += frame_size_tests.cc
 LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += resize_test.cc
 LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += vp9_lossless_test.cc
 
--- a/test/video_source.h
+++ b/test/video_source.h
@@ -127,6 +127,10 @@
 
   virtual unsigned int limit() const { return limit_; }
 
+  void set_limit(unsigned int limit) {
+    limit_ = limit;
+  }
+
   void SetSize(unsigned int width, unsigned int height) {
     if (width != width_ || height != height_) {
       vpx_img_free(img_);
--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -621,6 +621,12 @@
 }
 
 static void apply_frame_size(VP9_COMMON *cm, int width, int height) {
+#if CONFIG_SIZE_LIMIT
+  if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT)
+    vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
+                       "Width and height beyond allowed size.");
+#endif
+
   if (cm->width != width || cm->height != height) {
     // Change in frame size.
     // TODO(agrange) Don't test width/height, check overall size.
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -12,6 +12,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include "vpx/vpx_image.h"
+#include "vpx/vpx_integer.h"
 
 #define ADDRESS_STORAGE_SIZE      sizeof(size_t)
 /*returns an addr aligned to the byte boundary specified by align*/
@@ -165,8 +166,13 @@
   img->img_data = img_data;
 
   if (!img_data) {
-    img->img_data = img_buf_memalign(buf_align, ((fmt & VPX_IMG_FMT_PLANAR) ?
-                                                 h * s * bps / 8 : h * s));
+    const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ?
+                                (uint64_t)h * s * bps / 8 : (uint64_t)h * s;
+
+    if (alloc_size != (size_t)alloc_size)
+      goto fail;
+
+    img->img_data = img_buf_memalign(buf_align, (size_t)alloc_size);
     img->img_data_owner = 1;
   }