Commit 5804201c authored by Michael Niedermayer's avatar Michael Niedermayer

avutil/frame: Reimplement av_frame_new_side_data() without size=0 special case

The size 0 special case causes side data to be created which is
different and a special case if for any reasons size = 0 is passed

Fixes: multiple runtime error: null pointer passed as argument 1, which is declared to never be null
Fixes: 653/clusterfuzz-testcase-5773837415219200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 58f3469c
...@@ -26,6 +26,11 @@ ...@@ -26,6 +26,11 @@
#include "mem.h" #include "mem.h"
#include "samplefmt.h" #include "samplefmt.h"
static AVFrameSideData *frame_new_side_data(AVFrame *frame,
enum AVFrameSideDataType type,
AVBufferRef *buf);
MAKE_ACCESSORS(AVFrame, frame, int64_t, best_effort_timestamp) MAKE_ACCESSORS(AVFrame, frame, int64_t, best_effort_timestamp)
MAKE_ACCESSORS(AVFrame, frame, int64_t, pkt_duration) MAKE_ACCESSORS(AVFrame, frame, int64_t, pkt_duration)
MAKE_ACCESSORS(AVFrame, frame, int64_t, pkt_pos) MAKE_ACCESSORS(AVFrame, frame, int64_t, pkt_pos)
...@@ -344,20 +349,11 @@ FF_ENABLE_DEPRECATION_WARNINGS ...@@ -344,20 +349,11 @@ FF_ENABLE_DEPRECATION_WARNINGS
} }
memcpy(sd_dst->data, sd_src->data, sd_src->size); memcpy(sd_dst->data, sd_src->data, sd_src->size);
} else { } else {
sd_dst = av_frame_new_side_data(dst, sd_src->type, 0); sd_dst = frame_new_side_data(dst, sd_src->type, av_buffer_ref(sd_src->buf));
if (!sd_dst) { if (!sd_dst) {
wipe_side_data(dst); wipe_side_data(dst);
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
} }
if (sd_src->buf) {
sd_dst->buf = av_buffer_ref(sd_src->buf);
if (!sd_dst->buf) {
wipe_side_data(dst);
return AVERROR(ENOMEM);
}
sd_dst->data = sd_dst->buf->data;
sd_dst->size = sd_dst->buf->size;
}
} }
av_dict_copy(&sd_dst->metadata, sd_src->metadata, 0); av_dict_copy(&sd_dst->metadata, sd_src->metadata, 0);
} }
...@@ -633,40 +629,47 @@ AVBufferRef *av_frame_get_plane_buffer(AVFrame *frame, int plane) ...@@ -633,40 +629,47 @@ AVBufferRef *av_frame_get_plane_buffer(AVFrame *frame, int plane)
return NULL; return NULL;
} }
AVFrameSideData *av_frame_new_side_data(AVFrame *frame, static AVFrameSideData *frame_new_side_data(AVFrame *frame,
enum AVFrameSideDataType type, enum AVFrameSideDataType type,
int size) AVBufferRef *buf)
{ {
AVFrameSideData *ret, **tmp; AVFrameSideData *ret, **tmp;
if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) if (!buf)
return NULL; return NULL;
if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1)
goto fail;
tmp = av_realloc(frame->side_data, tmp = av_realloc(frame->side_data,
(frame->nb_side_data + 1) * sizeof(*frame->side_data)); (frame->nb_side_data + 1) * sizeof(*frame->side_data));
if (!tmp) if (!tmp)
return NULL; goto fail;
frame->side_data = tmp; frame->side_data = tmp;
ret = av_mallocz(sizeof(*ret)); ret = av_mallocz(sizeof(*ret));
if (!ret) if (!ret)
return NULL; goto fail;
if (size > 0) {
ret->buf = av_buffer_alloc(size);
if (!ret->buf) {
av_freep(&ret);
return NULL;
}
ret->data = ret->buf->data; ret->buf = buf;
ret->size = size; ret->data = ret->buf->data;
} ret->size = buf->size;
ret->type = type; ret->type = type;
frame->side_data[frame->nb_side_data++] = ret; frame->side_data[frame->nb_side_data++] = ret;
return ret; return ret;
fail:
av_buffer_unref(&buf);
return NULL;
}
AVFrameSideData *av_frame_new_side_data(AVFrame *frame,
enum AVFrameSideDataType type,
int size)
{
return frame_new_side_data(frame, type, av_buffer_alloc(size));
} }
AVFrameSideData *av_frame_get_side_data(const AVFrame *frame, AVFrameSideData *av_frame_get_side_data(const AVFrame *frame,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment