From patchwork Sat Apr 11 14:01:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 18859 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 56E8D44A946 for ; Sat, 11 Apr 2020 17:02:10 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 33B6868B5BF; Sat, 11 Apr 2020 17:02:10 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 123DE68AFF5 for ; Sat, 11 Apr 2020 17:02:03 +0300 (EEST) Received: by mail-qt1-f195.google.com with SMTP id x2so3644517qtr.0 for ; Sat, 11 Apr 2020 07:02:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZzB+UxBa1behfUzqg1GVvfusMMKsZB+w1cqcdVXjuOI=; b=Hy3O0EyXU/Gy/ZY5ETT+7BGDsShmni7igO7U/GeWqXyeF++0J51bEA4eElR8ESJGUx 17Yd+oKgrMmNczdj2IJdzt5gcg3g4mIVDTttI6oLfVcBPNEtYyso/P8913bGjxYYgUdS Dz689Kv1bHz+XV6xvRScP/PWWav//qccgPgBzXpVwGhF9+GLJm+hniILNERsih44XApy 3F1hA1UajaKoZoa0tJ9KA3vTxnIgdTmoofImGpE04mtTxeqxebZ9EYTyoo/ETYjbPwBR DwzgsXw+QEGeWPGYidHPWGYUy+zoTUOTbBw2U1K/xCglTI/4k/45/5nRr/kguDUVMaGY uwyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZzB+UxBa1behfUzqg1GVvfusMMKsZB+w1cqcdVXjuOI=; b=glec83Fl3dwT7Dt75dwGwJl3x3iS1SA1YKrt5Uz5rp0pLOkD4e6ULoIGQ1P+DHaLs6 SZJ8PUyi/Md8auAjiCltBPhKzbprIx90XqZwP6xcdLVt1NVgZae3gxewHWcz9RuFmsOZ wgEymyc06cfGyZ+lvsTvxs5rJN6bcUGilg00fQKYPT1NNzTr9M7YxiZw7yG8h5WAyz+5 VCrYOJPxJiuhhDVjmMR9YTu1A5r8+KuEoW1b3w/W8PZOwGYXOsdnqoQ2c40DRWLV6qtc mY2YfSVnJyZZk7wfJNASn5XPB9jtxjQTj86iIvUR6HxfP7BGbhATgZWfcgvW3R76u9Pn wfUQ== X-Gm-Message-State: AGi0PuajTTSDhM/xa7F+bniiB9xd4iE4rdUUFTTgVLz2qkSbRt/5EuC8 QWiajqKG25TciD7wSnfIBzWgtL1C X-Google-Smtp-Source: APiQypIfZ1Vx2IVzrrTsM7Mta3tswYCRSQzv5u35cpOK3O8LD5lCUFZTmKgWsne9UfCOKgdPzROoWA== X-Received: by 2002:ac8:2668:: with SMTP id v37mr3720395qtv.143.1586613721596; Sat, 11 Apr 2020 07:02:01 -0700 (PDT) Received: from localhost.localdomain ([191.83.216.57]) by smtp.gmail.com with ESMTPSA id p47sm765339qta.44.2020.04.11.07.02.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2020 07:02:01 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Sat, 11 Apr 2020 11:01:41 -0300 Message-Id: <20200411140141.5728-1-jamrial@gmail.com> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/cbs: use av_fast_realloc() in cbs_insert_unit() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 20791/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_SPLIT_fuzzer-5659537719951360 Fixes: 21214/clusterfuzz-testcase-minimized-ffmpeg_BSF_MPEG2_METADATA_fuzzer-5165560875974656 Fixes: 21247/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5715175257931776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- This can be ported to av_fast_realloc_array() once that's committed. libavcodec/cbs.c | 37 ++++++++++++++++--------------------- libavcodec/cbs.h | 7 +++++++ 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 0bd5e1ac5d..48ed7b5f32 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -161,6 +161,7 @@ void ff_cbs_fragment_free(CodedBitstreamContext *ctx, av_freep(&frag->units); frag->nb_units_allocated = 0; + frag->unit_buffer_size = 0; } static int cbs_read_fragment_content(CodedBitstreamContext *ctx, @@ -684,35 +685,29 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag, int position) { - CodedBitstreamUnit *units; + CodedBitstreamUnit *units = frag->units; - if (frag->nb_units < frag->nb_units_allocated) { - units = frag->units; + if (frag->nb_units_allocated < frag->nb_units + 1) { + int new_size = frag->nb_units_allocated + 1; + void *tmp; - if (position < frag->nb_units) - memmove(units + position + 1, units + position, - (frag->nb_units - position) * sizeof(*units)); - } else { - units = av_malloc_array(frag->nb_units + 1, sizeof(*units)); - if (!units) + if (new_size >= INT_MAX / sizeof(*units)) return AVERROR(ENOMEM); - ++frag->nb_units_allocated; - - if (position > 0) - memcpy(units, frag->units, position * sizeof(*units)); + tmp = av_fast_realloc(units, &frag->unit_buffer_size, + new_size * sizeof(*units)); + if (!tmp) + return AVERROR(ENOMEM); - if (position < frag->nb_units) - memcpy(units + position + 1, frag->units + position, - (frag->nb_units - position) * sizeof(*units)); + frag->units = units = tmp; + frag->nb_units_allocated = new_size; } - memset(units + position, 0, sizeof(*units)); + if (position < frag->nb_units) + memmove(units + position + 1, units + position, + (frag->nb_units - position) * sizeof(*units)); - if (units != frag->units) { - av_free(frag->units); - frag->units = units; - } + memset(units + position, 0, sizeof(*units)); ++frag->nb_units; diff --git a/libavcodec/cbs.h b/libavcodec/cbs.h index 9ca1fbd609..3209a82608 100644 --- a/libavcodec/cbs.h +++ b/libavcodec/cbs.h @@ -153,6 +153,13 @@ typedef struct CodedBitstreamFragment { */ int nb_units_allocated; + /** + * Size of allocated unit buffer. + * + * Must always be > nb_units_allocated; designed for internal use by cbs. + */ + unsigned int unit_buffer_size; + /** * Pointer to an array of units of length nb_units_allocated. * Only the first nb_units are valid.