[FFmpeg-devel] [PATCH v2 11/14] h264_mp4toannexb: Stop reallocating the output buffer
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sun Dec 15 00:19:23 EET 2019
Up until now, h264_mp4toannexb would grow the output packet's buffer by
the desired amount every time another NAL unit of the input packet has
been read; this commit changes this: The input buffer is now essentially
parsed twice, once to determine the final size of the output packet and
once to write the output packet's data.
Fixes: Timeout
Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
libavcodec/h264_mp4toannexb_bsf.c | 124 +++++++++++++++++-------------
1 file changed, 72 insertions(+), 52 deletions(-)
diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c
index 1505ee1c3d..4b92f0de94 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -42,27 +42,23 @@ typedef struct H264BSFContext {
int extradata_parsed;
} H264BSFContext;
-static int alloc_and_copy(AVPacket *out,
- const uint8_t *in, uint32_t in_size, int ps)
+static void count_or_copy(uint8_t **out, uint64_t *out_size,
+ const uint8_t *in, int in_size, int ps, int copy)
{
- uint32_t offset = out->size;
- uint8_t start_code_size = ps < 0 ? 0 : offset == 0 || ps ? 4 : 3;
- int err;
+ uint8_t start_code_size = ps < 0 ? 0 : *out_size == 0 || ps ? 4 : 3;
- err = av_grow_packet(out, in_size + start_code_size);
- if (err < 0)
- return err;
-
- memcpy(out->data + start_code_size + offset, in, in_size);
+ if (copy) {
+ memcpy(*out + start_code_size, in, in_size);
if (start_code_size == 4) {
- AV_WB32(out->data + offset, 1);
+ AV_WB32(*out, 1);
} else if (start_code_size) {
- (out->data + offset)[0] =
- (out->data + offset)[1] = 0;
- (out->data + offset)[2] = 1;
+ (*out)[0] =
+ (*out)[1] = 0;
+ (*out)[2] = 1;
}
-
- return 0;
+ *out += start_code_size + in_size;
+ }
+ *out_size += start_code_size + in_size;
}
static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding)
@@ -169,15 +165,17 @@ static int h264_mp4toannexb_init(AVBSFContext *ctx)
return 0;
}
-static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
+static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
{
H264BSFContext *s = ctx->priv_data;
AVPacket *in;
- uint8_t unit_type;
+ uint8_t unit_type, new_idr, sps_seen, pps_seen;
int32_t nal_size;
const uint8_t *buf;
const uint8_t *buf_end;
+ uint8_t *out;
+ uint64_t out_size;
int ret = 0, i;
ret = ff_bsf_get_packet(ctx, &in);
@@ -186,14 +184,23 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
/* nothing to filter */
if (!s->extradata_parsed) {
- av_packet_move_ref(out, in);
+ av_packet_move_ref(opkt, in);
av_packet_free(&in);
return 0;
}
- buf = in->data;
buf_end = in->data + in->size;
+#define LOG_ONCE(...) \
+ if (j) \
+ av_log(__VA_ARGS__)
+ for (int j = 0; j < 2; j++) {
+ buf = in->data;
+ new_idr = s->new_idr;
+ sps_seen = s->idr_sps_seen;
+ pps_seen = s->idr_pps_seen;
+ out_size = 0;
+
do {
ret= AVERROR(EINVAL);
if (buf + s->length_size > buf_end)
@@ -209,20 +216,16 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
goto fail;
if (unit_type == H264_NAL_SPS)
- s->idr_sps_seen = s->new_idr = 1;
+ sps_seen = new_idr = 1;
else if (unit_type == H264_NAL_PPS) {
- s->idr_pps_seen = s->new_idr = 1;
+ pps_seen = new_idr = 1;
/* if SPS has not been seen yet, prepend the AVCC one to PPS */
- if (!s->idr_sps_seen) {
+ if (!sps_seen) {
if (!s->sps_size)
- av_log(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n");
+ LOG_ONCE(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n");
else {
- if ((ret = alloc_and_copy(out,
- s->sps,
- s->sps_size,
- -1)) < 0)
- goto fail;
- s->idr_sps_seen = 1;
+ count_or_copy(&out, &out_size, s->sps, s->sps_size, -1, j);
+ sps_seen = 1;
}
}
}
@@ -230,44 +233,61 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
/* if this is a new IDR picture following an IDR picture, reset the idr flag.
* Just check first_mb_in_slice to be 0 as this is the simplest solution.
* This could be checking idr_pic_id instead, but would complexify the parsing. */
- if (!s->new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80))
- s->new_idr = 1;
+ if (!new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80))
+ new_idr = 1;
/* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */
- if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && !s->idr_sps_seen && !s->idr_pps_seen) {
- if (ctx->par_out->extradata && (ret=alloc_and_copy(out,
- ctx->par_out->extradata, ctx->par_out->extradata_size,
- -1)) < 0)
- goto fail;
- s->new_idr = 0;
+ if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) {
+ if (ctx->par_out->extradata)
+ count_or_copy(&out, &out_size, ctx->par_out->extradata,
+ ctx->par_out->extradata_size, -1, j);
+ new_idr = 0;
/* if only SPS has been seen, also insert PPS */
- } else if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && s->idr_sps_seen && !s->idr_pps_seen) {
+ } else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) {
if (!s->pps_size) {
- av_log(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n");
- } else if ((ret = alloc_and_copy(out,
- s->pps, s->pps_size,
- -1)) < 0)
- goto fail;
+ LOG_ONCE(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n");
+ } else {
+ count_or_copy(&out, &out_size, s->pps, s->pps_size, -1, j);
+ }
}
- if ((ret=alloc_and_copy(out, buf, nal_size, unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS)) < 0)
- goto fail;
- if (!s->new_idr && unit_type == H264_NAL_SLICE) {
- s->new_idr = 1;
- s->idr_sps_seen = 0;
- s->idr_pps_seen = 0;
+ count_or_copy(&out, &out_size, buf, nal_size,
+ unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS, j);
+ if (!new_idr && unit_type == H264_NAL_SLICE) {
+ new_idr = 1;
+ sps_seen = 0;
+ pps_seen = 0;
}
buf += nal_size;
} while (buf < buf_end);
- ret = av_packet_copy_props(out, in);
+ if (!j) {
+ if (out_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
+ ret = av_new_packet(opkt, out_size);
+ if (ret < 0)
+ goto fail;
+ out = opkt->data;
+ }
+ }
+#undef LOG_ONCE
+
+ av_assert1(out_size == opkt->size);
+
+ s->new_idr = new_idr;
+ s->idr_sps_seen = sps_seen;
+ s->idr_pps_seen = pps_seen;
+
+ ret = av_packet_copy_props(opkt, in);
if (ret < 0)
goto fail;
fail:
if (ret < 0)
- av_packet_unref(out);
+ av_packet_unref(opkt);
av_packet_free(&in);
return ret;
--
2.20.1
More information about the ffmpeg-devel
mailing list