[FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet

Andriy Lysnevych andriy.lysnevych at gmail.com
Fri May 13 14:15:07 CEST 2016


The patch fixes the function when used with reference-counted packets
that have payload offset.

Also this function is dangerous for not reference-counted packets
because it just overwrites pkt->data. Probably it is better to
restrict using it with not referenced-counted packets because you
simply don't know how to do grow\realloc in this case.

h264_mp4toannexb and h265_mp4toannexb already call av_grow_packet on
input packets that leads to memory leak in case of not reference
counted packets.

---
 libavcodec/avpacket.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index bcc7c79..327cd41 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -110,24 +110,29 @@ int av_grow_packet(AVPacket *pkt, int grow_by)
 {
     int new_size;
     av_assert0((unsigned)pkt->size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE);
-    if (!pkt->size)
-        return av_new_packet(pkt, grow_by);
-    if ((unsigned)grow_by >
-        INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
-        return -1;

     new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
     if (pkt->buf) {
-        int ret = av_buffer_realloc(&pkt->buf, new_size);
-        if (ret < 0)
-            return ret;
+        int data_offset = pkt->data - pkt->buf->data;
+        if ((unsigned)grow_by >
+            INT_MAX - (pkt->size + data_offset + AV_INPUT_BUFFER_PADDING_SIZE))
+            return -1;
+        if (new_size + data_offset > pkt->buf->size) {
+            int ret = av_buffer_realloc(&pkt->buf, new_size + data_offset);
+            if (ret < 0)
+                return ret;
+            pkt->data = pkt->buf->data + data_offset;
+        }
     } else {
+        if ((unsigned)grow_by >
+            INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
+            return -1;
         pkt->buf = av_buffer_alloc(new_size);
         if (!pkt->buf)
             return AVERROR(ENOMEM);
-        memcpy(pkt->buf->data, pkt->data, FFMIN(pkt->size, pkt->size
+ grow_by));
+        memcpy(pkt->buf->data, pkt->data, pkt->size);
+        pkt->data = pkt->buf->data;
     }
-    pkt->data  = pkt->buf->data;
     pkt->size += grow_by;
     memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);

-- 
2.7.4


More information about the ffmpeg-devel mailing list