diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2019-12-14 23:19:23 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-03-06 00:58:31 +0100 |
| commit | cb47c6c6148d88ffd2f4e90e7d0b6decb23e350f (patch) | |
| tree | 2c4534ff2b33c60dff7954aac045979035b5cf95 /libavcodec/h264_mp4toannexb_bsf.c | |
| parent | 84c87e41a68dc4164a2a130504cd9c5b4413b744 (diff) | |
| download | ffmpeg-cb47c6c6148d88ffd2f4e90e7d0b6decb23e350f.tar.gz | |
h264_mp4toannexb: Stop reallocating the output buffer
Up until now, h264_mp4toannexb would grow the output packet's buffer by
the desired amount every time another NAL unit of the input packet has
been read; this commit changes this: The input buffer is now essentially
parsed twice, once to determine the final size of the output packet and
once to write the output packet's data.
Fixes: Timeout
Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/h264_mp4toannexb_bsf.c')
| -rw-r--r-- | libavcodec/h264_mp4toannexb_bsf.c | 124 |
1 files changed, 72 insertions, 52 deletions
diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 1505ee1c3d..4b92f0de94 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -42,27 +42,23 @@ typedef struct H264BSFContext { int extradata_parsed; } H264BSFContext; -static int alloc_and_copy(AVPacket *out, - const uint8_t *in, uint32_t in_size, int ps) +static void count_or_copy(uint8_t **out, uint64_t *out_size, + const uint8_t *in, int in_size, int ps, int copy) { - uint32_t offset = out->size; - uint8_t start_code_size = ps < 0 ? 0 : offset == 0 || ps ? 4 : 3; - int err; + uint8_t start_code_size = ps < 0 ? 0 : *out_size == 0 || ps ? 4 : 3; - err = av_grow_packet(out, in_size + start_code_size); - if (err < 0) - return err; - - memcpy(out->data + start_code_size + offset, in, in_size); + if (copy) { + memcpy(*out + start_code_size, in, in_size); if (start_code_size == 4) { - AV_WB32(out->data + offset, 1); + AV_WB32(*out, 1); } else if (start_code_size) { - (out->data + offset)[0] = - (out->data + offset)[1] = 0; - (out->data + offset)[2] = 1; + (*out)[0] = + (*out)[1] = 0; + (*out)[2] = 1; } - - return 0; + *out += start_code_size + in_size; + } + *out_size += start_code_size + in_size; } static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding) @@ -169,15 +165,17 @@ static int h264_mp4toannexb_init(AVBSFContext *ctx) return 0; } -static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) +static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt) { H264BSFContext *s = ctx->priv_data; AVPacket *in; - uint8_t unit_type; + uint8_t unit_type, new_idr, sps_seen, pps_seen; int32_t nal_size; const uint8_t *buf; const uint8_t *buf_end; + uint8_t *out; + uint64_t out_size; int ret = 0, i; ret = ff_bsf_get_packet(ctx, &in); @@ -186,14 +184,23 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) /* nothing to filter */ if (!s->extradata_parsed) { - av_packet_move_ref(out, in); + av_packet_move_ref(opkt, in); av_packet_free(&in); return 0; } - buf = in->data; buf_end = in->data + in->size; +#define LOG_ONCE(...) \ + if (j) \ + av_log(__VA_ARGS__) + for (int j = 0; j < 2; j++) { + buf = in->data; + new_idr = s->new_idr; + sps_seen = s->idr_sps_seen; + pps_seen = s->idr_pps_seen; + out_size = 0; + do { ret= AVERROR(EINVAL); if (buf + s->length_size > buf_end) @@ -209,20 +216,16 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) goto fail; if (unit_type == H264_NAL_SPS) - s->idr_sps_seen = s->new_idr = 1; + sps_seen = new_idr = 1; else if (unit_type == H264_NAL_PPS) { - s->idr_pps_seen = s->new_idr = 1; + pps_seen = new_idr = 1; /* if SPS has not been seen yet, prepend the AVCC one to PPS */ - if (!s->idr_sps_seen) { + if (!sps_seen) { if (!s->sps_size) - av_log(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n"); + LOG_ONCE(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n"); else { - if ((ret = alloc_and_copy(out, - s->sps, - s->sps_size, - -1)) < 0) - goto fail; - s->idr_sps_seen = 1; + count_or_copy(&out, &out_size, s->sps, s->sps_size, -1, j); + sps_seen = 1; } } } @@ -230,44 +233,61 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) /* if this is a new IDR picture following an IDR picture, reset the idr flag. * Just check first_mb_in_slice to be 0 as this is the simplest solution. * This could be checking idr_pic_id instead, but would complexify the parsing. */ - if (!s->new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80)) - s->new_idr = 1; + if (!new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80)) + new_idr = 1; /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */ - if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && !s->idr_sps_seen && !s->idr_pps_seen) { - if (ctx->par_out->extradata && (ret=alloc_and_copy(out, - ctx->par_out->extradata, ctx->par_out->extradata_size, - -1)) < 0) - goto fail; - s->new_idr = 0; + if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) { + if (ctx->par_out->extradata) + count_or_copy(&out, &out_size, ctx->par_out->extradata, + ctx->par_out->extradata_size, -1, j); + new_idr = 0; /* if only SPS has been seen, also insert PPS */ - } else if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && s->idr_sps_seen && !s->idr_pps_seen) { + } else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) { if (!s->pps_size) { - av_log(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n"); - } else if ((ret = alloc_and_copy(out, - s->pps, s->pps_size, - -1)) < 0) - goto fail; + LOG_ONCE(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n"); + } else { + count_or_copy(&out, &out_size, s->pps, s->pps_size, -1, j); + } } - if ((ret=alloc_and_copy(out, buf, nal_size, unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS)) < 0) - goto fail; - if (!s->new_idr && unit_type == H264_NAL_SLICE) { - s->new_idr = 1; - s->idr_sps_seen = 0; - s->idr_pps_seen = 0; + count_or_copy(&out, &out_size, buf, nal_size, + unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS, j); + if (!new_idr && unit_type == H264_NAL_SLICE) { + new_idr = 1; + sps_seen = 0; + pps_seen = 0; } buf += nal_size; } while (buf < buf_end); - ret = av_packet_copy_props(out, in); + if (!j) { + if (out_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ret = av_new_packet(opkt, out_size); + if (ret < 0) + goto fail; + out = opkt->data; + } + } +#undef LOG_ONCE + + av_assert1(out_size == opkt->size); + + s->new_idr = new_idr; + s->idr_sps_seen = sps_seen; + s->idr_pps_seen = pps_seen; + + ret = av_packet_copy_props(opkt, in); if (ret < 0) goto fail; fail: if (ret < 0) - av_packet_unref(out); + av_packet_unref(opkt); av_packet_free(&in); return ret; |