From patchwork Fri Oct 9 21:35:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 22803 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4B5714489A1 for ; Sat, 10 Oct 2020 00:35:34 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2A3AC68B84E; Sat, 10 Oct 2020 00:35:34 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-qv1-f68.google.com (mail-qv1-f68.google.com [209.85.219.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7860368B2A6 for ; Sat, 10 Oct 2020 00:35:27 +0300 (EEST) Received: by mail-qv1-f68.google.com with SMTP id y7so4109010qvn.13 for ; Fri, 09 Oct 2020 14:35:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=sK5SXJrzC6vo86FjwbmW6TvNUAowxlqJ/pB0K3DRmJY=; b=XbHnMFNBmDxZdjd65RO+NKL7UG9b5fJ6Lrp9TI0IexnCuP6DxhqPLXzlkenZCnTuG9 OMOaCp6sBSIZUmuq+/FiuMQmEQU5jUeeu4IYrg4mwepjlwYc9hCwSyI/khOz0J9qiteZ T5iHJa2ri/6iPr0tUQn9QgdLRzvMGWa8VgxrJ1MJHvDHVxXl3ZgAQmTGgzMZSRRg+b6b UPt7i/Lofo1uim+Zrg4yNt7oUl2f6ntQJYuIBWZmxR4i+iseeeEM5PGns5cYQ2JhZFAi fV2JK9i6Y0VSOZnJ1XGadf/Qw3Es2GwqK2XYINLWHl6YAw+QZQn4i3zmJMTfXRYwqhZx diKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sK5SXJrzC6vo86FjwbmW6TvNUAowxlqJ/pB0K3DRmJY=; b=WQiPIH6ZiBFoZ5iTWSrnoRQLIQxppKKul3teqTYXRGljOBIqdT01uX4OuomVPEpY8r /nd0v+/uK/Wd8I78Lewx8jeAxaQHRWg1aoCGA/wWabxsAQkhLxsv8jP6nq5zbg05LBnP RT91hh1FRYu7LGItspWwMtvsMljhXBMTOFSB8fNFB5dgzo+7k9dJKD+W6ryre391hqY+ 1bSLHyHLe5z9dpCgCh8ubbwOzmVVCUO1+M1WRIBE5NwgAKdHh8trLqG+OQNzi7/hk0LQ 5Mr/MuDAnWmaSjPwdjMy16mO4k1b3LAb4puQ/Egss0rL3/lQk5kVMuCx8t5sqKyR5/39 yhdA== X-Gm-Message-State: AOAM530hcDXCP6/eU89LvBbractGVCFZtQGvUXT7u50O3acaoGstzmAy xtlA9dg5uJYzN5eAifse29BhjsrQudf3yw== X-Google-Smtp-Source: ABdhPJyf+t+u01P+KhPDX3i9KB26deolTh7THw0yZU5C/u4CdQ7bQCADXnt6/0g5tVJ50UAPzPf6jw== X-Received: by 2002:a0c:c48f:: with SMTP id u15mr15164867qvi.55.1602279325852; Fri, 09 Oct 2020 14:35:25 -0700 (PDT) Received: from localhost.localdomain ([181.23.78.153]) by smtp.gmail.com with ESMTPSA id j92sm7047312qtd.1.2020.10.09.14.35.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Oct 2020 14:35:25 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Fri, 9 Oct 2020 18:35:10 -0300 Message-Id: <20201009213510.14533-1-jamrial@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201008132511.1964-1-jamrial@gmail.com> References: <20201008132511.1964-1-jamrial@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/h2645_parse: remove initial skipped_bytes_pos buffer X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Allocate it only when it's needed. Fixes: OOM Fixes: 23817/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-6300869057576960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavcodec/h2645_parse.c | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 0f98b49fbe..929fb34eef 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -108,22 +108,20 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, dst[di++] = 0; si += 3; - if (nal->skipped_bytes_pos) { - nal->skipped_bytes++; - if (nal->skipped_bytes_pos_size < nal->skipped_bytes) { - nal->skipped_bytes_pos_size *= 2; - av_assert0(nal->skipped_bytes_pos_size >= nal->skipped_bytes); - av_reallocp_array(&nal->skipped_bytes_pos, + nal->skipped_bytes++; + if (nal->skipped_bytes_pos_size < nal->skipped_bytes) { + nal->skipped_bytes_pos_size = nal->skipped_bytes * 2; + av_assert0(nal->skipped_bytes_pos_size >= nal->skipped_bytes); + av_reallocp_array(&nal->skipped_bytes_pos, nal->skipped_bytes_pos_size, sizeof(*nal->skipped_bytes_pos)); - if (!nal->skipped_bytes_pos) { - nal->skipped_bytes_pos_size = 0; - return AVERROR(ENOMEM); - } + if (!nal->skipped_bytes_pos) { + nal->skipped_bytes_pos_size = 0; + return AVERROR(ENOMEM); } - if (nal->skipped_bytes_pos) - nal->skipped_bytes_pos[nal->skipped_bytes-1] = di - 1; } + if (nal->skipped_bytes_pos) + nal->skipped_bytes_pos[nal->skipped_bytes-1] = di - 1; continue; } else // next start code goto nsc; @@ -466,12 +464,6 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, pkt->nals = tmp; memset(pkt->nals + pkt->nals_allocated, 0, sizeof(*pkt->nals)); - nal = &pkt->nals[pkt->nb_nals]; - nal->skipped_bytes_pos_size = 1024; // initial buffer size - nal->skipped_bytes_pos = av_malloc_array(nal->skipped_bytes_pos_size, sizeof(*nal->skipped_bytes_pos)); - if (!nal->skipped_bytes_pos) - return AVERROR(ENOMEM); - pkt->nals_allocated = new_size; } nal = &pkt->nals[pkt->nb_nals];