From patchwork Sat Dec 14 22:19:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 16791 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C593A448FE9 for ; Sun, 15 Dec 2019 00:26:04 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AD151689ADE; Sun, 15 Dec 2019 00:26:04 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com [209.85.128.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A802F6899F2 for ; Sun, 15 Dec 2019 00:25:54 +0200 (EET) Received: by mail-wm1-f67.google.com with SMTP id d73so2630280wmd.1 for ; Sat, 14 Dec 2019 14:25:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=EWg8zk7CZCHQ+ZvYAYCotAc8QSILgIrfLvg7C4LnJpw=; b=CVtrh1p4I+kN9sbRbAYCmUMzh5D6Xp+uMF4Uc0VEgmNLkM2SgKLn5le2G080+rWc6z 6eoHjEeoo+8MB/p7aN/gYFP9eCSs1dkMcHYTST88JaXmbjFDSPPCcScUkMzMlWrU8D6M AyyXxW+ztDH8e3FXIOi1KWIF+xLcpktvrDsy+yUwBUOgDUjduz17WCIQcLK1rDFA09OV lzLj3volHcBoi7AQ93Hq0TCIYIshSkCrdQ+ldsToI2TnjyqdPLm4ktQHbDoGuuhLm73W xHRwKhFuGRkCUQ6jlK2ZRMw9tjvv8kYo9JzF08YHHfFDKQRln66auEHOTz/CaTNu2YXO lchQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EWg8zk7CZCHQ+ZvYAYCotAc8QSILgIrfLvg7C4LnJpw=; b=DTdeE8mmKdRFu5o/iW7TjldruQ8XcR3qLNKmGBcWRLnnu5mNQcGLtso01NmLQhQsL1 H6cSXnFKy+IBK5AuMpk36T+nch+6JCnAyhHAZmtJTn9eU+NR2tJqL+tMyZfO/lPDIaGL 1MSKqAMoqHrM7F3Qz6M33Nk5L6arFQ2oiqd01YikZuTTW7buadODEGiXGlb9mrmFnSBK BovWCODbbrKPfBKJOAbBXNPgKVketRYmkdH07batLnL0ns4x9dO+LQcUB6UZFBPT7kNV x76103na+5dddEFizB+i2ZmgHuTSKFKYx9Ao4Wi0j4ZqKvZGR0dd2NfHPG1Jmk6P2e2Q XOmw== X-Gm-Message-State: APjAAAWsrSmokCOAK+0rUwmtPgtANUPrdZCTmxNCelS/+a5kFa6vrfnD +GkWuUJ5O7eCVEfHjuM2xe3LaEeA X-Google-Smtp-Source: APXvYqygzBrKomlo9tVBv4EGw1hlaKzMudLsXGJXeI2VgaipCYU/8WKHzxDqZ1u/gYb/cu+lXtz6LQ== X-Received: by 2002:a1c:1d8c:: with SMTP id d134mr22344786wmd.16.1576362353851; Sat, 14 Dec 2019 14:25:53 -0800 (PST) Received: from sblaptop.fritz.box (ipbcc08e23.dynamic.kabel-deutschland.de. [188.192.142.35]) by smtp.gmail.com with ESMTPSA id v3sm15063771wml.47.2019.12.14.14.25.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Dec 2019 14:25:53 -0800 (PST) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 14 Dec 2019 23:19:23 +0100 Message-Id: <20191214221926.16074-11-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191214221926.16074-1-andreas.rheinhardt@gmail.com> References: <20191214221926.16074-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 11/14] h264_mp4toannexb: Stop reallocating the output buffer X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Up until now, h264_mp4toannexb would grow the output packet's buffer by the desired amount every time another NAL unit of the input packet has been read; this commit changes this: The input buffer is now essentially parsed twice, once to determine the final size of the output packet and once to write the output packet's data. Fixes: Timeout Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584 Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_mp4toannexb_bsf.c | 124 +++++++++++++++++------------- 1 file changed, 72 insertions(+), 52 deletions(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 1505ee1c3d..4b92f0de94 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -42,27 +42,23 @@ typedef struct H264BSFContext { int extradata_parsed; } H264BSFContext; -static int alloc_and_copy(AVPacket *out, - const uint8_t *in, uint32_t in_size, int ps) +static void count_or_copy(uint8_t **out, uint64_t *out_size, + const uint8_t *in, int in_size, int ps, int copy) { - uint32_t offset = out->size; - uint8_t start_code_size = ps < 0 ? 0 : offset == 0 || ps ? 4 : 3; - int err; + uint8_t start_code_size = ps < 0 ? 0 : *out_size == 0 || ps ? 4 : 3; - err = av_grow_packet(out, in_size + start_code_size); - if (err < 0) - return err; - - memcpy(out->data + start_code_size + offset, in, in_size); + if (copy) { + memcpy(*out + start_code_size, in, in_size); if (start_code_size == 4) { - AV_WB32(out->data + offset, 1); + AV_WB32(*out, 1); } else if (start_code_size) { - (out->data + offset)[0] = - (out->data + offset)[1] = 0; - (out->data + offset)[2] = 1; + (*out)[0] = + (*out)[1] = 0; + (*out)[2] = 1; } - - return 0; + *out += start_code_size + in_size; + } + *out_size += start_code_size + in_size; } static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding) @@ -169,15 +165,17 @@ static int h264_mp4toannexb_init(AVBSFContext *ctx) return 0; } -static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) +static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt) { H264BSFContext *s = ctx->priv_data; AVPacket *in; - uint8_t unit_type; + uint8_t unit_type, new_idr, sps_seen, pps_seen; int32_t nal_size; const uint8_t *buf; const uint8_t *buf_end; + uint8_t *out; + uint64_t out_size; int ret = 0, i; ret = ff_bsf_get_packet(ctx, &in); @@ -186,14 +184,23 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) /* nothing to filter */ if (!s->extradata_parsed) { - av_packet_move_ref(out, in); + av_packet_move_ref(opkt, in); av_packet_free(&in); return 0; } - buf = in->data; buf_end = in->data + in->size; +#define LOG_ONCE(...) \ + if (j) \ + av_log(__VA_ARGS__) + for (int j = 0; j < 2; j++) { + buf = in->data; + new_idr = s->new_idr; + sps_seen = s->idr_sps_seen; + pps_seen = s->idr_pps_seen; + out_size = 0; + do { ret= AVERROR(EINVAL); if (buf + s->length_size > buf_end) @@ -209,20 +216,16 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) goto fail; if (unit_type == H264_NAL_SPS) - s->idr_sps_seen = s->new_idr = 1; + sps_seen = new_idr = 1; else if (unit_type == H264_NAL_PPS) { - s->idr_pps_seen = s->new_idr = 1; + pps_seen = new_idr = 1; /* if SPS has not been seen yet, prepend the AVCC one to PPS */ - if (!s->idr_sps_seen) { + if (!sps_seen) { if (!s->sps_size) - av_log(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n"); + LOG_ONCE(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n"); else { - if ((ret = alloc_and_copy(out, - s->sps, - s->sps_size, - -1)) < 0) - goto fail; - s->idr_sps_seen = 1; + count_or_copy(&out, &out_size, s->sps, s->sps_size, -1, j); + sps_seen = 1; } } } @@ -230,44 +233,61 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) /* if this is a new IDR picture following an IDR picture, reset the idr flag. * Just check first_mb_in_slice to be 0 as this is the simplest solution. * This could be checking idr_pic_id instead, but would complexify the parsing. */ - if (!s->new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80)) - s->new_idr = 1; + if (!new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80)) + new_idr = 1; /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */ - if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && !s->idr_sps_seen && !s->idr_pps_seen) { - if (ctx->par_out->extradata && (ret=alloc_and_copy(out, - ctx->par_out->extradata, ctx->par_out->extradata_size, - -1)) < 0) - goto fail; - s->new_idr = 0; + if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) { + if (ctx->par_out->extradata) + count_or_copy(&out, &out_size, ctx->par_out->extradata, + ctx->par_out->extradata_size, -1, j); + new_idr = 0; /* if only SPS has been seen, also insert PPS */ - } else if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && s->idr_sps_seen && !s->idr_pps_seen) { + } else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) { if (!s->pps_size) { - av_log(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n"); - } else if ((ret = alloc_and_copy(out, - s->pps, s->pps_size, - -1)) < 0) - goto fail; + LOG_ONCE(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n"); + } else { + count_or_copy(&out, &out_size, s->pps, s->pps_size, -1, j); + } } - if ((ret=alloc_and_copy(out, buf, nal_size, unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS)) < 0) - goto fail; - if (!s->new_idr && unit_type == H264_NAL_SLICE) { - s->new_idr = 1; - s->idr_sps_seen = 0; - s->idr_pps_seen = 0; + count_or_copy(&out, &out_size, buf, nal_size, + unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS, j); + if (!new_idr && unit_type == H264_NAL_SLICE) { + new_idr = 1; + sps_seen = 0; + pps_seen = 0; } buf += nal_size; } while (buf < buf_end); - ret = av_packet_copy_props(out, in); + if (!j) { + if (out_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ret = av_new_packet(opkt, out_size); + if (ret < 0) + goto fail; + out = opkt->data; + } + } +#undef LOG_ONCE + + av_assert1(out_size == opkt->size); + + s->new_idr = new_idr; + s->idr_sps_seen = sps_seen; + s->idr_pps_seen = pps_seen; + + ret = av_packet_copy_props(opkt, in); if (ret < 0) goto fail; fail: if (ret < 0) - av_packet_unref(out); + av_packet_unref(opkt); av_packet_free(&in); return ret;