diff mbox series

[FFmpeg-devel] avcodec/snowdec: Maintain avmv buffer

Message ID 20210815192554.14648-1-michael@niedermayer.cc
State Accepted
Commit 0faf04e807fc09bb3d72a034c284fe44b54fa76b
Headers show
Series [FFmpeg-devel] avcodec/snowdec: Maintain avmv buffer | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Aug. 15, 2021, 7:25 p.m. UTC 
This avoids reallocating per frame

Fixes: Assertion failure
Fixes: 36359/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6733238591684608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/snow.h    |  1 +
 libavcodec/snowdec.c | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

Comments

Michael Niedermayer Sept. 19, 2021, 8:43 p.m. UTC | #1 
On Sun, Aug 15, 2021 at 09:25:54PM +0200, Michael Niedermayer wrote:
> This avoids reallocating per frame
> 
> Fixes: Assertion failure
> Fixes: 36359/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6733238591684608
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>


will apply


[...]
diff mbox series

Patch

diff --git a/libavcodec/snow.h b/libavcodec/snow.h
index c0d2599859..8795491cf3 100644
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -186,6 +186,7 @@  typedef struct SnowContext{
     uint8_t *emu_edge_buffer;
 
     AVMotionVector *avmv;
+    unsigned avmv_size;
     int avmv_index;
     uint64_t encoding_error[AV_NUM_DATA_POINTERS];
 
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 1355ae6ed1..cd2265aba1 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -492,9 +492,17 @@  static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                s->spatial_decomposition_count
               );
 
-    av_assert0(!s->avmv);
     if (s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_MVS) {
-        s->avmv = av_malloc_array(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2));
+        size_t size;
+        res = av_size_mult(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2), &size);
+        if (res)
+            return res;
+        av_fast_malloc(&s->avmv, &s->avmv_size, size);
+        if (!s->avmv)
+            return AVERROR(ENOMEM);
+    } else {
+        s->avmv_size = 0;
+        av_freep(&s->avmv);
     }
     s->avmv_index = 0;
 
@@ -623,8 +631,6 @@  static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         memcpy(sd->data, s->avmv, s->avmv_index * sizeof(AVMotionVector));
     }
 
-    av_freep(&s->avmv);
-
     if (res < 0)
         return res;
 
@@ -644,6 +650,9 @@  static av_cold int decode_end(AVCodecContext *avctx)
 
     ff_snow_common_end(s);
 
+    s->avmv_size = 0;
+    av_freep(&s->avmv);
+
     return 0;
 }