[FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet
Andriy Lysnevych
andriy.lysnevych at gmail.com
Fri May 13 14:15:07 CEST 2016
The patch fixes the function when used with reference-counted packets
that have payload offset.
Also this function is dangerous for not reference-counted packets
because it just overwrites pkt->data. Probably it is better to
restrict using it with not referenced-counted packets because you
simply don't know how to do grow\realloc in this case.
h264_mp4toannexb and h265_mp4toannexb already call av_grow_packet on
input packets that leads to memory leak in case of not reference
counted packets.
---
libavcodec/avpacket.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index bcc7c79..327cd41 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -110,24 +110,29 @@ int av_grow_packet(AVPacket *pkt, int grow_by)
{
int new_size;
av_assert0((unsigned)pkt->size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE);
- if (!pkt->size)
- return av_new_packet(pkt, grow_by);
- if ((unsigned)grow_by >
- INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
- return -1;
new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
if (pkt->buf) {
- int ret = av_buffer_realloc(&pkt->buf, new_size);
- if (ret < 0)
- return ret;
+ int data_offset = pkt->data - pkt->buf->data;
+ if ((unsigned)grow_by >
+ INT_MAX - (pkt->size + data_offset + AV_INPUT_BUFFER_PADDING_SIZE))
+ return -1;
+ if (new_size + data_offset > pkt->buf->size) {
+ int ret = av_buffer_realloc(&pkt->buf, new_size + data_offset);
+ if (ret < 0)
+ return ret;
+ pkt->data = pkt->buf->data + data_offset;
+ }
} else {
+ if ((unsigned)grow_by >
+ INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
+ return -1;
pkt->buf = av_buffer_alloc(new_size);
if (!pkt->buf)
return AVERROR(ENOMEM);
- memcpy(pkt->buf->data, pkt->data, FFMIN(pkt->size, pkt->size
+ grow_by));
+ memcpy(pkt->buf->data, pkt->data, pkt->size);
+ pkt->data = pkt->buf->data;
}
- pkt->data = pkt->buf->data;
pkt->size += grow_by;
memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
--
2.7.4
More information about the ffmpeg-devel
mailing list