[FFmpeg-devel] [PATCH 1/5] avcodec/pcm_rechunk_bsf: unref packet before putting a new one in

Mon Apr 17 14:34:34 EEST 2023

On Mon, Apr 17, 2023 at 08:28:37AM -0300, James Almer wrote:
> On 4/17/2023 8:26 AM, Michael Niedermayer wrote:
> > On Sun, Apr 16, 2023 at 07:57:00PM -0300, James Almer wrote:
> > > On 4/16/2023 7:25 PM, Michael Niedermayer wrote:
> > > > Fixes: memleak
> > > > Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_BSF_PCM_RECHUNK_fuzzer-5562089618407424
> > > > 
> > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > >    libavcodec/pcm_rechunk_bsf.c | 1 +
> > > >    1 file changed, 1 insertion(+)
> > > > 
> > > > diff --git a/libavcodec/pcm_rechunk_bsf.c b/libavcodec/pcm_rechunk_bsf.c
> > > > index 108d9e90b99..3f43934fe9a 100644
> > > > --- a/libavcodec/pcm_rechunk_bsf.c
> > > > +++ b/libavcodec/pcm_rechunk_bsf.c
> > > > @@ -153,6 +153,7 @@ static int rechunk_filter(AVBSFContext *ctx, AVPacket *pkt)
> > > >                }
> > > >            }
> > > > +        av_packet_unref(s->in_pkt);
> > > 
> > > This could be pointing to a bug in the above code, and unreffing here like
> > > this would result in data loss.
> > > 
> > > Does the following change also fix the memleak?
> > > 
> > > > diff --git a/libavcodec/pcm_rechunk_bsf.c b/libavcodec/pcm_rechunk_bsf.c
> > > > index 108d9e90b9..032f914916 100644
> > > > --- a/libavcodec/pcm_rechunk_bsf.c
> > > > +++ b/libavcodec/pcm_rechunk_bsf.c
> > > > @@ -151,7 +151,8 @@ static int rechunk_filter(AVBSFContext *ctx, AVPacket *pkt)
> > > >                   av_packet_move_ref(pkt, s->in_pkt);
> > > >                   return send_packet(s, nb_samples, pkt);
> > > >               }
> > > > -        }
> > > > +        } else
> > > > +            av_packet_unref(s->in_pkt);
> > > > 
> > > >           ret = ff_bsf_get_packet_ref(ctx, s->in_pkt);
> > > >           if (ret == AVERROR_EOF && s->out_pkt->size) {
> > > 
> > > If it does then a zero sized packet with either only side data or that went
> > > through the av_packet_make_refcounted() in av_bsf_send_packet() that left it
> > > with an allocated padding buffer was fed to this bsf.
> > 
> > yes this works too
> > and this memleak is open since a year, its the 2nd time i submited this
> 
> Yes, i had a sense of deja vu.
> 
> > patch, last time the discussions didnt lead to any consensus on what to do
> > I hope this time some fix from someone ends up in git
> > 
> > thx
> 
> Just apply the suggested change i made above.

ok

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20230417/ce9c2a10/attachment.sig>