Paul B Mahol:
> On 9/3/20, Andreas Rheinhardt <andreas.rheinha...@gmail.com> wrote:
>> Paul B Mahol:
>>> Signed-off-by: Paul B Mahol <one...@gmail.com>
>>> ---
>>> libavformat/Makefile | 1 +
>>> libavformat/allformats.c | 1 +
>>> libavformat/moflex.c | 360 +++++++++++++++++++++++++++++++++++++++
>>> 3 files changed, 362 insertions(+)
>>> create mode 100644 libavformat/moflex.c
>>>
>>> diff --git a/libavformat/Makefile b/libavformat/Makefile
>>> index cbb33fe37c..1e0ac317e5 100644
>>> --- a/libavformat/Makefile
>>> +++ b/libavformat/Makefile
>>> @@ -319,6 +319,7 @@ OBJS-$(CONFIG_MLV_DEMUXER) += mlvdec.o
>>> riffdec.o
>>> OBJS-$(CONFIG_MM_DEMUXER) += mm.o
>>> OBJS-$(CONFIG_MMF_DEMUXER) += mmf.o
>>> OBJS-$(CONFIG_MMF_MUXER) += mmf.o rawenc.o
>>> +OBJS-$(CONFIG_MOFLEX_DEMUXER) += moflex.o
>>> OBJS-$(CONFIG_MOV_DEMUXER) += mov.o mov_chan.o mov_esds.o
>>> replaygain.o
>>> OBJS-$(CONFIG_MOV_MUXER) += movenc.o av1.o avc.o hevc.o
>>> vpcc.o \
>>> movenchint.o mov_chan.o rtp.o
>>> \
>>> diff --git a/libavformat/allformats.c b/libavformat/allformats.c
>>> index 0aa9dd7198..28331facb9 100644
>>> --- a/libavformat/allformats.c
>>> +++ b/libavformat/allformats.c
>>> @@ -249,6 +249,7 @@ extern AVInputFormat ff_mlv_demuxer;
>>> extern AVInputFormat ff_mm_demuxer;
>>> extern AVInputFormat ff_mmf_demuxer;
>>> extern AVOutputFormat ff_mmf_muxer;
>>> +extern AVInputFormat ff_moflex_demuxer;
>>> extern AVInputFormat ff_mov_demuxer;
>>> extern AVOutputFormat ff_mov_muxer;
>>> extern AVOutputFormat ff_mp2_muxer;
>>> diff --git a/libavformat/moflex.c b/libavformat/moflex.c
>>> new file mode 100644
>>> index 0000000000..989623396f
>>> --- /dev/null
>>> +++ b/libavformat/moflex.c
>>> @@ -0,0 +1,360 @@
>>> +/*
>>> + * MOFLEX demuxer
>>> + * Copyright (c) 2020 Paul B Mahol
>>> + *
>>> + * This file is part of FFmpeg.
>>> + *
>>> + * FFmpeg is free software; you can redistribute it and/or
>>> + * modify it under the terms of the GNU Lesser General Public
>>> + * License as published by the Free Software Foundation; either
>>> + * version 2.1 of the License, or (at your option) any later version.
>>> + *
>>> + * FFmpeg is distributed in the hope that it will be useful,
>>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>>> + * Lesser General Public License for more details.
>>> + *
>>> + * You should have received a copy of the GNU Lesser General Public
>>> + * License along with FFmpeg; if not, write to the Free Software
>>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>>> 02110-1301 USA
>>> + */
>>> +
>>> +#include "libavcodec/bytestream.h"
>>> +
>>> +#include "avformat.h"
>>> +#include "internal.h"
>>> +
>>> +typedef struct BitReader {
>>> + unsigned last;
>>> + unsigned pos;
>>> +} BitReader;
>>> +
>>> +typedef struct MOFLEXDemuxContext {
>>> + unsigned size;
>>> + int64_t pos;
>>> + int64_t ts;
>>> + int flags;
>>> + int in_block;
>>> +
>>> + BitReader br;
>>> +} MOFLEXDemuxContext;
>>> +
>>> +static int pop(BitReader *br, AVIOContext *pb)
>>> +{
>>> + if (avio_feof(pb))
>>> + return AVERROR_EOF;
>>> +
>>> + if ((br->pos & 7) == 0)
>>> + br->last = (unsigned)avio_r8(pb) << 24U;
>>> + else
>>> + br->last <<= 1;
>>> +
>>> + br->pos++;
>>> + return !!(br->last & 0x80000000);
>>> +}
>>> +
>>> +static int pop_int(BitReader *br, AVIOContext *pb, int n)
>>> +{
>>> + int value = 0;
>>> +
>>> + for (int i = 0; i < n; i++) {
>>> + int ret = pop(br, pb);
>>> +
>>> + if (ret < 0)
>>> + return ret;
>>> + value = 2 * value + ret;
>>> + }
>>> +
>>> + return value;
>>> +}
>>> +
>>> +static int pop_length(BitReader *br, AVIOContext *pb)
>>> +{
>>> + int ret, n = 1;
>>> +
>>> + while ((ret = pop(br, pb)) == 0)
>>> + n++;
>>> +
>>> + if (ret < 0)
>>> + return ret;
>>> + return n;
>>> +}
>>> +
>>> +static int read_var_byte(AVFormatContext *s, unsigned *out)
>>> +{
>>> + AVIOContext *pb = s->pb;
>>> + unsigned value = 0, data;
>>> +
>>> + data = avio_r8(pb);
>>> + if (!(data & 0x80)) {
>>> + *out = data;
>>> + return 0;
>>> + }
>>> +
>>> + value = (data & 0x7F) << 7;
>>> + data = avio_r8(pb);
>>> + if (!(data & 0x80)) {
>>> + value |= data;
>>> + *out = value;
>>> + return 0;
>>> + }
>>> +
>>> + value = ((data & 0x7F) | value) << 7;
>>> + data = avio_r8(pb);
>>> + if (!(data & 0x80)) {
>>> + value |= data;
>>> + *out = value;
>>> + return 0;
>>> + }
>>> +
>>> + value = (((data & 0x7F) | value) << 7) | avio_r8(pb);
>>> + *out = value;
>>> +
>>> + return 0;
>>> +}
>>> +
>>> +static int moflex_probe(const AVProbeData *p)
>>> +{
>>> + GetByteContext gb;
>>> + int score = 0;
>>> +
>>> + bytestream2_init(&gb, p->buf, p->buf_size);
>>> +
>>> + if (bytestream2_get_be16(&gb) != 0x4C32)
>>> + return 0;
>>> + score += 10;
>>> +
>>> + bytestream2_skip(&gb, 10);
>>> + if (bytestream2_get_be16(&gb) == 0)
>>> + return 0;
>>> + score += 5;
>>> +
>>> + while (bytestream2_get_bytes_left(&gb) > 0) {
>>> + int type = bytestream2_get_byte(&gb);
>>> + int size = bytestream2_get_byte(&gb);
>>> +
>>> + if (type == 0) {
>>> + score += 5 * (size == 0);
>>> + break;
>>> + }
>>> + if ((type == 1 && size == 12) ||
>>> + (type == 2 && size == 6) ||
>>> + (type == 3 && size == 13) ||
>>> + (type == 4 && size == 2))
>>> + score += 20;
>>> + bytestream2_skip(&gb, size);
>>> + }
>>> +
>>> + return FFMIN(AVPROBE_SCORE_MAX, score);
>>> +}
>>> +
>>> +static int moflex_read_sync(AVFormatContext *s)
>>> +{
>>> + MOFLEXDemuxContext *m = s->priv_data;
>>> + AVIOContext *pb = s->pb;
>>> +
>>> + if (avio_rb16(pb) != 0x4C32) {
>>> + if (avio_feof(pb))
>>> + return AVERROR_EOF;
>>> + avio_seek(pb, -2, SEEK_CUR);
>>> + return 1;
>>> + }
>>> +
>>> + avio_skip(pb, 2);
>>> + m->ts = avio_rb64(pb);
>>> + m->size = avio_rb16(pb) + 1;
>>> +
>>> + while (!avio_feof(pb)) {
>>> + unsigned type, ssize, codec_id = 0;
>>> + unsigned codec_type, width = 0, height = 0, sample_rate = 0,
>>> channels = 0;
>>> + int stream_index = -1;
>>> + int format;
>>> + AVRational fps;
>>> +
>>> + read_var_byte(s, &type);
>>> + read_var_byte(s, &ssize);
>>> +
>>> + switch (type) {
>>> + case 0:
>>> + if (ssize > 0)
>>> + avio_skip(pb, ssize);
>>> + return 0;
>>> + case 2:
>>> + codec_type = AVMEDIA_TYPE_AUDIO;
>>> + stream_index = avio_r8(pb);
>>> + codec_id = avio_r8(pb);
>>> + switch (codec_id) {
>>> + case 0: codec_id = AV_CODEC_ID_FASTAUDIO; break;
>>> + case 1: codec_id = AV_CODEC_ID_ADPCM_IMA_MOFLEX; break;
>>> + case 2: codec_id = AV_CODEC_ID_PCM_S16LE; break;
>>> + default:
>>> + av_log(s, AV_LOG_ERROR, "Unsupported audio codec: %d\n",
>>> codec_id);
>>> + return AVERROR_PATCHWELCOME;
>>> + }
>>> + sample_rate = avio_rb24(pb) + 1;
>>> + channels = avio_r8(pb) + 1;
>>> + break;
>>> + case 1:
>>> + case 3:
>>> + codec_type = AVMEDIA_TYPE_VIDEO;
>>> + stream_index = avio_r8(pb);
>>> + codec_id = avio_r8(pb);
>>> + switch (codec_id) {
>>> + case 0: codec_id = AV_CODEC_ID_MOBICLIP; break;
>>> + default:
>>> + av_log(s, AV_LOG_ERROR, "Unsupported video codec: %d\n",
>>> codec_id);
>>> + return AVERROR_PATCHWELCOME;
>>> + }
>>> + fps.num = avio_rb16(pb);
>>> + fps.den = avio_rb16(pb);
>>> + width = avio_rb16(pb);
>>> + height = avio_rb16(pb);
>>> + format = AV_PIX_FMT_YUV420P;
>>> + avio_skip(pb, type == 3 ? 3 : 2);
>>> + break;
>>> + case 4:
>>> + codec_type = AVMEDIA_TYPE_DATA;
>>> + stream_index = avio_r8(pb);
>>> + avio_skip(pb, 1);
>>> + break;
>>> + }
>>> +
>>> + if (stream_index == s->nb_streams) {
>>> + AVStream *st = avformat_new_stream(s, NULL);
>>> +
>>> + if (!st)
>>> + return AVERROR(ENOMEM);
>>> +
>>> + st->codecpar->codec_type = codec_type;
>>> + st->codecpar->codec_id = codec_id;
>>> + st->codecpar->width = width;
>>> + st->codecpar->height = height;
>>> + st->codecpar->sample_rate= sample_rate;
>>> + st->codecpar->channels = channels;
>>> + st->codecpar->format = format;
>>> + st->priv_data = av_packet_alloc();
>>> + if (!st->priv_data)
>>> + return AVERROR(ENOMEM);
>>
>> If this allocation fails when reading a packet, you end up with a stream
>> without priv_data. If the caller decides to call av_read_frame() again,
>> you can get a segfault, because the code for reading a packet presumes
>> every stream to have an AVPacket as priv_data.
>
> No this is huge libavformat bug. NULL pointer dereference when appending
> packet.
>
No it is a bug to call it with pkt == NULL.
>>
>>> +
>>> + if (sample_rate)
>>> + avpriv_set_pts_info(st, 63, 1, sample_rate);
>>> + else
>>> + avpriv_set_pts_info(st, 63, fps.den, fps.num);
>>> + }
>>> + }
>>> +
>>> + return 0;
>>> +}
>>> +
>>> +static int moflex_read_header(AVFormatContext *s)
>>> +{
>>> + int ret;
>>> +
>>> + ret = moflex_read_sync(s);
>>> + if (ret < 0)
>>> + return ret;
>>> +
>>> + s->ctx_flags |= AVFMTCTX_NOHEADER;
>>> + avio_seek(s->pb, 0, SEEK_SET);
>>> +
>>> + return 0;
>>> +}
>>> +
>>> +static int moflex_read_packet(AVFormatContext *s, AVPacket *pkt)
>>> +{
>>> + MOFLEXDemuxContext *m = s->priv_data;
>>> + AVIOContext *pb = s->pb;
>>> + BitReader *br = &m->br;
>>> + int ret;
>>> +
>>> + while (!avio_feof(pb)) {
>>> + if (!m->in_block) {
>>> + m->pos = avio_tell(pb);
>>> +
>>> + ret = moflex_read_sync(s);
>>> + if (ret < 0)
>>> + return ret;
>>> +
>>> + m->flags = avio_r8(pb);
>>> + if (m->flags & 2)
>>> + avio_skip(pb, 2);
>>> + }
>>> +
>>> + while ((avio_tell(pb) < m->pos + m->size) && !avio_feof(pb) &&
>>> avio_r8(pb)) {
>>> + int stream_index, bits, pkt_size, endframe;
>>> + AVPacket *packet;
>>> +
>>> + m->in_block = 1;
>>> +
>>> + avio_seek(pb, -1, SEEK_CUR);
>>> + br->pos = br->last = 0;
>>> +
>>> + bits = pop_length(br, pb);
>>> + if (bits < 0)
>>> + return bits;
>>> + stream_index = pop_int(br, pb, bits);
>>> + if (stream_index < 0)
>>> + return stream_index;
>>> + if (stream_index >= s->nb_streams)
>>> + return AVERROR_INVALIDDATA;
>>> +
>>> + endframe = pop(br, pb);
>>> + if (endframe < 0)
>>> + return endframe;
>>> + if (endframe) {
>>> + bits = pop_length(br, pb);
>>> + if (bits < 0)
>>> + return bits;
>>> + pop_int(br, pb, bits);
>>> + pop(br, pb);
>>> + bits = pop_length(br, pb);
>>> + if (bits < 0)
>>> + return bits;
>>> + pop_int(br, pb, bits * 2 + 26);
>>> + }
>>> +
>>> + pkt_size = pop_int(br, pb, 13) + 1;
>>> + packet = s->streams[stream_index]->priv_data;
>>> +
>>> + ret = av_append_packet(pb, packet, pkt_size);
>>> + if (endframe) {
>>> + av_packet_move_ref(pkt, packet);
>>> + pkt->pos = m->pos;
>>> + pkt->stream_index = stream_index;
>>> + pkt->flags |= AV_PKT_FLAG_KEY;
>>> + return ret;
>>> + }
>>> + }
>>> +
>>> + m->in_block = 0;
>>> +
>>> + if (m->flags % 2 == 0)
>>> + avio_seek(pb, m->pos + m->size, SEEK_SET);
>>> + }
>>> +
>>> + return AVERROR_EOF;
>>> +}
>>> +
>>> +static int moflex_read_close(AVFormatContext *s)
>>> +{
>>> + for (int i = 0; i < s->nb_streams; i++) {
>>> + AVPacket *packet = s->streams[i]->priv_data;
>>> +
>>> + av_packet_free(&packet);
>>> + s->streams[i]->priv_data = 0;
>>> + }
>>> +
>>> + return 0;
>>> +}
>>> +
>>> +AVInputFormat ff_moflex_demuxer = {
>>> + .name = "moflex",
>>> + .long_name = NULL_IF_CONFIG_SMALL("MobiClip MOFLEX"),
>>> + .priv_data_size = sizeof(MOFLEXDemuxContext),
>>> + .read_probe = moflex_probe,
>>> + .read_header = moflex_read_header,
>>> + .read_packet = moflex_read_packet,
>>> + .read_close = moflex_read_close,
>>> + .extensions = "moflex",
>>> + .flags = AVFMT_GENERIC_INDEX,
>>> +};
>>>
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
