From f3778e730a95d6e854048eb9b0bd5046b6faf3e7 Mon Sep 17 00:00:00 2001
From: tanio99 <tanio99@wolke7.net>
Date: Thu, 9 Apr 2020 17:37:17 +0200
Subject: [PATCH 1/2] BitstreamConverter: fix signed/unsigned mismatches and a
 pointer arithmetic issue causing an overrun

---
 xbmc/utils/BitstreamConverter.cpp | 10 +++++-----
 xbmc/utils/BitstreamConverter.h   |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/xbmc/utils/BitstreamConverter.cpp b/xbmc/utils/BitstreamConverter.cpp
index f2224a5457939..91f136cd75186 100644
--- a/xbmc/utils/BitstreamConverter.cpp
+++ b/xbmc/utils/BitstreamConverter.cpp
@@ -535,7 +535,7 @@ bool CBitstreamConverter::Convert(uint8_t *pData, int iSize)
         if (m_convert_bitstream)
         {
           // convert demuxer packet from bitstream to bytestream (AnnexB)
-          int bytestream_size = 0;
+          uint32_t bytestream_size = 0;
           uint8_t *bytestream_buff = NULL;
 
           BitstreamConvert(demuxer_content, demuxer_bytes, &bytestream_buff, &bytestream_size);
@@ -868,7 +868,7 @@ bool CBitstreamConverter::IsSlice(uint8_t unit_type)
   }
 }
 
-bool CBitstreamConverter::BitstreamConvert(uint8_t* pData, int iSize, uint8_t **poutbuf, int *poutbuf_size)
+bool CBitstreamConverter::BitstreamConvert(uint8_t* pData, int iSize, uint8_t **poutbuf, uint32_t *poutbuf_size)
 {
   // based on h264_mp4toannexb_bsf.c (ffmpeg)
   // which is Copyright (c) 2007 Benoit Fouet <benoit.fouet@free.fr>
@@ -878,7 +878,7 @@ bool CBitstreamConverter::BitstreamConvert(uint8_t* pData, int iSize, uint8_t **
   uint8_t *buf = pData;
   uint32_t buf_size = iSize;
   uint8_t  unit_type, nal_sps, nal_pps, nal_sei;
-  int32_t  nal_size;
+  uint32_t  nal_size;
   uint32_t cumul_size = 0;
   const uint8_t *buf_end = buf + buf_size;
 
@@ -916,7 +916,7 @@ bool CBitstreamConverter::BitstreamConvert(uint8_t* pData, int iSize, uint8_t **
         unit_type = (*buf >> 1) & 0x3f;
     }
 
-    if (buf + nal_size > buf_end || nal_size <= 0)
+    if (nal_size > (buf_end - buf) || nal_size == 0)
       goto fail;
 
     // Don't add sps/pps if the unit already contain them
@@ -956,7 +956,7 @@ bool CBitstreamConverter::BitstreamConvert(uint8_t* pData, int iSize, uint8_t **
 }
 
 void CBitstreamConverter::BitstreamAllocAndCopy(uint8_t** poutbuf,
-                                                int* poutbuf_size,
+                                                uint32_t* poutbuf_size,
                                                 const uint8_t* sps_pps,
                                                 uint32_t sps_pps_size,
                                                 const uint8_t* in,
diff --git a/xbmc/utils/BitstreamConverter.h b/xbmc/utils/BitstreamConverter.h
index 3c57e14057ecd..91b7864a9f13c 100644
--- a/xbmc/utils/BitstreamConverter.h
+++ b/xbmc/utils/BitstreamConverter.h
@@ -108,9 +108,9 @@ class CBitstreamConverter
   bool              IsSlice(uint8_t unit_type);
   bool              BitstreamConvertInitAVC(void *in_extradata, int in_extrasize);
   bool              BitstreamConvertInitHEVC(void *in_extradata, int in_extrasize);
-  bool              BitstreamConvert(uint8_t* pData, int iSize, uint8_t **poutbuf, int *poutbuf_size);
+  bool              BitstreamConvert(uint8_t* pData, int iSize, uint8_t **poutbuf, uint32_t *poutbuf_size);
   static void BitstreamAllocAndCopy(uint8_t** poutbuf,
-                                    int* poutbuf_size,
+                                    uint32_t* poutbuf_size,
                                     const uint8_t* sps_pps,
                                     uint32_t sps_pps_size,
                                     const uint8_t* in,

From 429f6abc22a442e8a03aea7cef3934df316275a5 Mon Sep 17 00:00:00 2001
From: tanio99 <tanio99@wolke7.net>
Date: Thu, 29 Aug 2019 15:57:56 +0200
Subject: [PATCH 2/2] BitstreamConverter: also parse mvcC atom if it's present
 in the extradata

---
 xbmc/utils/BitstreamConverter.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/xbmc/utils/BitstreamConverter.cpp b/xbmc/utils/BitstreamConverter.cpp
index 91f136cd75186..51780d27720fa 100644
--- a/xbmc/utils/BitstreamConverter.cpp
+++ b/xbmc/utils/BitstreamConverter.cpp
@@ -678,6 +678,7 @@ bool CBitstreamConverter::BitstreamConvertInitAVC(void *in_extradata, int in_ext
   uint16_t unit_size;
   uint32_t total_size = 0;
   uint8_t *out = NULL, unit_nb, sps_done = 0, sps_seen = 0, pps_seen = 0;
+  uint8_t mvc_done = 0;
   const uint8_t *extradata = (uint8_t*)in_extradata + 4;
   static const uint8_t nalu_header[4] = {0, 0, 0, 1};
 
@@ -726,6 +727,18 @@ bool CBitstreamConverter::BitstreamConvertInitAVC(void *in_extradata, int in_ext
       if (unit_nb)
         pps_seen = 1;
     }
+
+    if (!unit_nb && !mvc_done++)
+    {
+      if (in_extrasize - total_size > 14 && memcmp(extradata + 8, "mvcC", 4) == 0)
+      {
+        // start over; take SPS and PPS from the mvcC atom
+        extradata += 12 + 5; // skip over mvcC atom header
+        unit_nb = *extradata++ & 0x1f;  // number of sps unit(s)
+        sps_done = 0;
+        pps_seen = 0;
+      }
+    }
   }
 
   if (out)