From: Jim Bankoski Date: Thu, 17 Jul 2014 13:31:50 +0000 (-0700) Subject: allow config options to limit max size of decode X-Git-Tag: v1.4.0~1205 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=943e43273b0a7369d07714e7fd2e19fecfb11c7c;p=libvpx allow config options to limit max size of decode This is a practical concern to allow us to fail in a decoder instance if the size of a file is bigger than we can reasonably handle. Change-Id: I0446b5502b1f8a48408107648ff2a8d187dca393 --- diff --git a/build/make/configure.sh b/build/make/configure.sh index 688162617..f22e3e0ac 100755 --- a/build/make/configure.sh +++ b/build/make/configure.sh @@ -485,6 +485,7 @@ EOF print_config_h ARCH "${TMP_H}" ${ARCH_LIST} print_config_h HAVE "${TMP_H}" ${HAVE_LIST} print_config_h CONFIG "${TMP_H}" ${CONFIG_LIST} + print_config_vars_h "${TMP_H}" ${VAR_LIST} echo "#endif /* VPX_CONFIG_H */" >> ${TMP_H} mkdir -p `dirname "$1"` cmp "$1" ${TMP_H} >/dev/null 2>&1 || mv ${TMP_H} "$1" @@ -550,6 +551,15 @@ process_common_cmdline() { || die "Must be yasm, nasm or auto: ${optval}" alt_as="${optval}" ;; + --size-limit=*) + w="${optval%%x*}" + h="${optval##*x}" + VAR_LIST="DECODE_WIDTH_LIMIT ${w} DECODE_HEIGHT_LIMIT ${h}" + [ ${w} -gt 0 -a ${h} -gt 0 ] || die "Invalid size-limit: too small." + [ ${w} -lt 65536 -a ${h} -lt 65536 ] \ + || die "Invalid size-limit: too big." + enable_feature size_limit + ;; --prefix=*) prefix="${optval}" ;; @@ -1324,6 +1334,16 @@ print_config_h() { done } +print_config_vars_h() { + local header=$1 + shift + while [ $# -gt 0 ]; do + upname="`toupper $1`" + echo "#define ${upname} $2" >> $header + shift 2 + done +} + print_webm_license() { local destination=$1 local prefix="$2" diff --git a/configure b/configure index b98480ecb..b8159c0af 100755 --- a/configure +++ b/configure @@ -26,6 +26,7 @@ Advanced options: ${toggle_unit_tests} unit tests ${toggle_decode_perf_tests} build decoder perf tests with unit tests --libc=PATH path to alternate libc + --size-limit=WxH max size to allow in the decoder --as={yasm|nasm|auto} use specified assembler [auto, yasm preferred] --sdk-path=PATH path to root of sdk (android builds only) ${toggle_fast_unaligned} don't use unaligned accesses, even when @@ -327,6 +328,7 @@ CONFIG_LIST=" multi_res_encoding temporal_denoising experimental + size_limit ${EXPERIMENT_LIST} " CMDLINE_SELECT=" @@ -352,6 +354,7 @@ CMDLINE_SELECT=" docs libc as + size_limit fast_unaligned codec_srcs debug_libs diff --git a/test/encode_test_driver.cc b/test/encode_test_driver.cc index b30c3e098..da7e32b51 100644 --- a/test/encode_test_driver.cc +++ b/test/encode_test_driver.cc @@ -177,7 +177,10 @@ void EncoderTest::RunLoop(VideoSource *video) { if (decoder && DoDecode()) { vpx_codec_err_t res_dec = decoder->DecodeFrame( (const uint8_t*)pkt->data.frame.buf, pkt->data.frame.sz); - ASSERT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError(); + + if (!HandleDecodeResult(res_dec, *video, decoder)) + break; + has_dxdata = true; } ASSERT_GE(pkt->data.frame.pts, last_pts_); diff --git a/test/encode_test_driver.h b/test/encode_test_driver.h index 9526068da..2270ce22f 100644 --- a/test/encode_test_driver.h +++ b/test/encode_test_driver.h @@ -221,6 +221,14 @@ class EncoderTest { virtual void DecompressedFrameHook(const vpx_image_t& img, vpx_codec_pts_t pts) {} + // Hook to be called to handle decode result. Return true to continue. + virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec, + const VideoSource& /* video */, + Decoder *decoder) { + EXPECT_EQ(VPX_CODEC_OK, res_dec) << decoder->DecodeError(); + return VPX_CODEC_OK == res_dec; + } + // Hook that can modify the encoder's output data virtual const vpx_codec_cx_pkt_t * MutateEncoderOutputHook( const vpx_codec_cx_pkt_t *pkt) { diff --git a/test/frame_size_tests.cc b/test/frame_size_tests.cc new file mode 100644 index 000000000..d1ea0967f --- /dev/null +++ b/test/frame_size_tests.cc @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2014 The WebM project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include +#include +#include "third_party/googletest/src/include/gtest/gtest.h" +#include "test/codec_factory.h" +#include "test/encode_test_driver.h" +#include "test/i420_video_source.h" +#include "test/util.h" + +namespace { + +class VP9FrameSizeTestsLarge + : public ::libvpx_test::EncoderTest, + public ::testing::Test { + protected: + VP9FrameSizeTestsLarge() : EncoderTest(&::libvpx_test::kVP9), + expected_res_(VPX_CODEC_OK) {} + virtual ~VP9FrameSizeTestsLarge() {} + + virtual void SetUp() { + InitializeConfig(); + SetMode(::libvpx_test::kRealTime); + } + + virtual bool HandleDecodeResult(const vpx_codec_err_t res_dec, + const libvpx_test::VideoSource &video, + libvpx_test::Decoder *decoder) { + EXPECT_EQ(expected_res_, res_dec) + << "Expected " << expected_res_ + << "but got " << res_dec; + + return !::testing::Test::HasFailure(); + } + + virtual void PreEncodeFrameHook(::libvpx_test::VideoSource *video, + ::libvpx_test::Encoder *encoder) { + if (video->frame() == 1) { + encoder->Control(VP8E_SET_CPUUSED, 7); + encoder->Control(VP8E_SET_ENABLEAUTOALTREF, 1); + encoder->Control(VP8E_SET_ARNR_MAXFRAMES, 7); + encoder->Control(VP8E_SET_ARNR_STRENGTH, 5); + encoder->Control(VP8E_SET_ARNR_TYPE, 3); + } + } + + int expected_res_; +}; + +TEST_F(VP9FrameSizeTestsLarge, TestInvalidSizes) { + ::libvpx_test::RandomVideoSource video; + +#if CONFIG_SIZE_LIMIT + video.SetSize(DECODE_WIDTH_LIMIT + 16, DECODE_HEIGHT_LIMIT + 16); + video.set_limit(2); + expected_res_ = VPX_CODEC_CORRUPT_FRAME; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#else + // If we are on a 32 bit platform we can't possibly allocate enough memory + // for the largest video frame size (64kx64k). This test checks that we + // properly return a memory error. + if (sizeof(size_t) == 4) { + video.SetSize(65535, 65535); + video.set_limit(2); + expected_res_ = VPX_CODEC_MEM_ERROR; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); + } +#endif +} + +TEST_F(VP9FrameSizeTestsLarge, ValidSizes) { + ::libvpx_test::RandomVideoSource video; + +#if CONFIG_SIZE_LIMIT + video.SetSize(DECODE_WIDTH_LIMIT, DECODE_HEIGHT_LIMIT); + video.set_limit(2); + expected_res_ = VPX_CODEC_OK; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#else + // This test produces a pretty large single frame allocation, (roughly + // 25 megabits). The encoder allocates a good number of these frames + // one for each lag in frames (for 2 pass), and then one for each possible + // reference buffer (8) - we can end up with up to 30 buffers of roughly this + // size or almost 1 gig of memory. + video.SetSize(4096, 4096); + video.set_limit(2); + expected_res_ = VPX_CODEC_OK; + ASSERT_NO_FATAL_FAILURE(RunLoop(&video)); +#endif +} +} // namespace diff --git a/test/test.mk b/test/test.mk index 012dfd7c3..bfd372bdb 100644 --- a/test/test.mk +++ b/test/test.mk @@ -34,6 +34,7 @@ LIBVPX_TEST_SRCS-$(CONFIG_VP9_DECODER) += user_priv_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += active_map_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += borders_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += cpu_speed_test.cc +LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += frame_size_tests.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += resize_test.cc LIBVPX_TEST_SRCS-$(CONFIG_VP9_ENCODER) += vp9_lossless_test.cc diff --git a/test/video_source.h b/test/video_source.h index 4250cb74b..f7e31d42a 100644 --- a/test/video_source.h +++ b/test/video_source.h @@ -127,6 +127,10 @@ class DummyVideoSource : public VideoSource { virtual unsigned int limit() const { return limit_; } + void set_limit(unsigned int limit) { + limit_ = limit; + } + void SetSize(unsigned int width, unsigned int height) { if (width != width_ || height != height_) { vpx_img_free(img_); diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c index 82d0307e0..615fa4c76 100644 --- a/vp9/decoder/vp9_decodeframe.c +++ b/vp9/decoder/vp9_decodeframe.c @@ -621,6 +621,12 @@ static void setup_display_size(VP9_COMMON *cm, struct vp9_read_bit_buffer *rb) { } static void apply_frame_size(VP9_COMMON *cm, int width, int height) { +#if CONFIG_SIZE_LIMIT + if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT) + vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME, + "Width and height beyond allowed size."); +#endif + if (cm->width != width || cm->height != height) { // Change in frame size. // TODO(agrange) Don't test width/height, check overall size. diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c index dc8fcbc3b..8c7e3cfca 100644 --- a/vpx/src/vpx_image.c +++ b/vpx/src/vpx_image.c @@ -12,6 +12,7 @@ #include #include #include "vpx/vpx_image.h" +#include "vpx/vpx_integer.h" #define ADDRESS_STORAGE_SIZE sizeof(size_t) /*returns an addr aligned to the byte boundary specified by align*/ @@ -165,8 +166,13 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, img->img_data = img_data; if (!img_data) { - img->img_data = img_buf_memalign(buf_align, ((fmt & VPX_IMG_FMT_PLANAR) ? - h * s * bps / 8 : h * s)); + const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? + (uint64_t)h * s * bps / 8 : (uint64_t)h * s; + + if (alloc_size != (size_t)alloc_size) + goto fail; + + img->img_data = img_buf_memalign(buf_align, (size_t)alloc_size); img->img_data_owner = 1; }