[FFmpeg-devel] [PATCH] avcodec/av1_metadata: don't store the inserted TD OBU in stack

[Andreas Rheinhardt]

James Almer:
> Fixes: stack-use-after-return
> Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-5931515701755904
> Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6105676541722624
> 
> Signed-off-by: James Almer <jamrial at gmail.com>
> ---
>  libavcodec/av1_metadata_bsf.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/av1_metadata_bsf.c b/libavcodec/av1_metadata_bsf.c
> index 328db5c0da..b1ae364431 100644
> --- a/libavcodec/av1_metadata_bsf.c
> +++ b/libavcodec/av1_metadata_bsf.c
> @@ -28,6 +28,7 @@ typedef struct AV1MetadataContext {
>      CBSBSFContext common;
>  
>      int td;
> +    AV1RawOBU td_obu;
>  
>      int color_primaries;
>      int transfer_characteristics;
> @@ -107,7 +108,7 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
>                                          CodedBitstreamFragment *frag)
>  {
>      AV1MetadataContext *ctx = bsf->priv_data;
> -    AV1RawOBU td, *obu;
> +    AV1RawOBU *obu;
>      int err, i;
>  
>      for (i = 0; i < frag->nb_units; i++) {
> @@ -124,12 +125,12 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
>          if (ctx->td == BSF_ELEMENT_REMOVE)
>              ff_cbs_delete_unit(frag, 0);
>      } else if (pkt && ctx->td == BSF_ELEMENT_INSERT) {
> -        td = (AV1RawOBU) {
> +        ctx->td_obu = (AV1RawOBU) {
>              .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
>          };

I think you can move the initialization to init. LGTM anyway.

>  
>          err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER,
> -                                         &td, NULL);
> +                                         &ctx->td_obu, NULL);
>          if (err < 0) {
>              av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n");
>              return err;
>