[FFmpeg-devel] [PATCH] avcodec/h2645_parse: remove initial skipped_bytes_pos buffer

[James Almer]

Allocate it only when needed, and instead of giving it a fixed initial size
that's doubled on each realloc, ensure it's always big enough for the NAL
currently being parsed.

Fixes: OOM
Fixes: 23817/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-6300869057576960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial at gmail.com>
---
 libavcodec/h2645_parse.c | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c
index 0f98b49fbe..f5c76323c1 100644
--- a/libavcodec/h2645_parse.c
+++ b/libavcodec/h2645_parse.c
@@ -108,22 +108,20 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length,
                 dst[di++] = 0;
                 si       += 3;
 
-                if (nal->skipped_bytes_pos) {
-                    nal->skipped_bytes++;
-                    if (nal->skipped_bytes_pos_size < nal->skipped_bytes) {
-                        nal->skipped_bytes_pos_size *= 2;
-                        av_assert0(nal->skipped_bytes_pos_size >= nal->skipped_bytes);
-                        av_reallocp_array(&nal->skipped_bytes_pos,
+                nal->skipped_bytes++;
+                if (nal->skipped_bytes_pos_size < nal->skipped_bytes) {
+                    nal->skipped_bytes_pos_size = length / 3;
+                    av_assert0(nal->skipped_bytes_pos_size >= nal->skipped_bytes);
+                    av_reallocp_array(&nal->skipped_bytes_pos,
                                 nal->skipped_bytes_pos_size,
                                 sizeof(*nal->skipped_bytes_pos));
-                        if (!nal->skipped_bytes_pos) {
-                            nal->skipped_bytes_pos_size = 0;
-                            return AVERROR(ENOMEM);
-                        }
+                    if (!nal->skipped_bytes_pos) {
+                        nal->skipped_bytes_pos_size = 0;
+                        return AVERROR(ENOMEM);
                     }
-                    if (nal->skipped_bytes_pos)
-                        nal->skipped_bytes_pos[nal->skipped_bytes-1] = di - 1;
                 }
+                if (nal->skipped_bytes_pos)
+                    nal->skipped_bytes_pos[nal->skipped_bytes-1] = di - 1;
                 continue;
             } else // next start code
                 goto nsc;
@@ -466,12 +464,6 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length,
             pkt->nals = tmp;
             memset(pkt->nals + pkt->nals_allocated, 0, sizeof(*pkt->nals));
 
-            nal = &pkt->nals[pkt->nb_nals];
-            nal->skipped_bytes_pos_size = 1024; // initial buffer size
-            nal->skipped_bytes_pos = av_malloc_array(nal->skipped_bytes_pos_size, sizeof(*nal->skipped_bytes_pos));
-            if (!nal->skipped_bytes_pos)
-                return AVERROR(ENOMEM);
-
             pkt->nals_allocated = new_size;
         }
         nal = &pkt->nals[pkt->nb_nals];
-- 
2.27.0