h264_mp4toannexb: Stop reallocating the output buffer

Up until now, h264_mp4toannexb would grow the output packet's buffer by the desired amount every time another NAL unit of the input packet has been read; this commit changes this: The input buffer is now essentially parsed twice, once to determine the final size of the output packet and once to write the output packet's data. Fixes: Timeout Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

h264_mp4toannexb: Stop reallocating the output buffer
Up until now, h264_mp4toannexb would grow the output packet's buffer by the desired amount every time another NAL unit of the input packet has been read; this commit changes this: The input buffer is now essentially parsed twice, once to determine the final size of the output packet and once to write the output packet's data. Fixes: Timeout Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
cb47c6c6 · Andreas Rheinhardt · Michael Niedermayer · 84c87e41 · cb47c6c6
Commit cb47c6c6 authored Dec 14, 2019 by Andreas Rheinhardt Committed by Michael Niedermayer Mar 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 72 additions and 52 deletions

h264_mp4toannexb_bsf.c libavcodec/h264_mp4toannexb_bsf.c +72 -52

No files found.
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -42,27 +42,23 @@ typedef struct H264BSFContext {
    int      extradata_parsed;
 } H264BSFContext;
-static int alloc_and_copy(AVPacket *out,
+static void count_or_copy(uint8_t **out, uint64_t *out_size,
-                          const uint8_t *in, uint32_t in_size, int ps)
+                          const uint8_t *in, int in_size, int ps, int copy)
 {
-    uint32_t offset         = out->size;
+    uint8_t start_code_size = ps < 0 ? 0 : *out_size == 0 || ps ? 4 : 3;
-    uint8_t start_code_size = ps < 0 ? 0 : offset == 0 || ps ? 4 : 3;
-    int err;
-    err = av_grow_packet(out, in_size + start_code_size);
+    if (copy) {
-    if (err < 0)
+        memcpy(*out + start_code_size, in, in_size);
-        return err;
-    memcpy(out->data + start_code_size + offset, in, in_size);
    if (start_code_size == 4) {
-        AV_WB32(out->data + offset, 1);
+            AV_WB32(*out, 1);
    } else if (start_code_size) {
-        (out->data + offset)[0] =
+            (*out)[0] =
-        (out->data + offset)[1] = 0;
+            (*out)[1] = 0;
-        (out->data + offset)[2] = 1;
+            (*out)[2] = 1;
    }
+        *out  += start_code_size + in_size;
-    return 0;
+    }
+    *out_size += start_code_size + in_size;
 }
 static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding)
@@ -169,15 +165,17 @@ static int h264_mp4toannexb_init(AVBSFContext *ctx)
    return 0;
 }
-static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
+static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
 {
    H264BSFContext *s = ctx->priv_data;
    AVPacket *in;
-    uint8_t unit_type;
+    uint8_t unit_type, new_idr, sps_seen, pps_seen;
    int32_t nal_size;
    const uint8_t *buf;
    const uint8_t *buf_end;
+    uint8_t *out;
+    uint64_t out_size;
    int ret = 0, i;
    ret = ff_bsf_get_packet(ctx, &in);
@@ -186,14 +184,23 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
    /* nothing to filter */
    if (!s->extradata_parsed) {
-        av_packet_move_ref(out, in);
+        av_packet_move_ref(opkt, in);
        av_packet_free(&in);
        return 0;
    }
-    buf      = in->data;
    buf_end  = in->data + in->size;
+#define LOG_ONCE(...) \
+    if (j) \
+        av_log(__VA_ARGS__)
+    for (int j = 0; j < 2; j++) {
+        buf      = in->data;
+        new_idr  = s->new_idr;
+        sps_seen = s->idr_sps_seen;
+        pps_seen = s->idr_pps_seen;
+        out_size = 0;
    do {
        ret= AVERROR(EINVAL);
        if (buf + s->length_size > buf_end)
@@ -209,20 +216,16 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
            goto fail;
        if (unit_type == H264_NAL_SPS)
-            s->idr_sps_seen = s->new_idr = 1;
+                sps_seen = new_idr = 1;
        else if (unit_type == H264_NAL_PPS) {
-            s->idr_pps_seen = s->new_idr = 1;
+                pps_seen = new_idr = 1;
            /* if SPS has not been seen yet, prepend the AVCC one to PPS */
-            if (!s->idr_sps_seen) {
+                if (!sps_seen) {
                if (!s->sps_size)
-                    av_log(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n");
+                        LOG_ONCE(ctx, AV_LOG_WARNING, "SPS not present in the stream, nor in AVCC, stream may be unreadable\n");
                else {
-                    if ((ret = alloc_and_copy(out,
+                        count_or_copy(&out, &out_size, s->sps, s->sps_size, -1, j);
-                                         s->sps,
+                        sps_seen = 1;
-                                         s->sps_size,
-                                         -1)) < 0)
-                        goto fail;
-                    s->idr_sps_seen = 1;
                }
            }
        }
@@ -230,44 +233,61 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        /* if this is a new IDR picture following an IDR picture, reset the idr flag.
         * Just check first_mb_in_slice to be 0 as this is the simplest solution.
         * This could be checking idr_pic_id instead, but would complexify the parsing. */
-        if (!s->new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80))
+            if (!new_idr && unit_type == H264_NAL_IDR_SLICE && (buf[1] & 0x80))
-            s->new_idr = 1;
+                new_idr = 1;
        /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */
-        if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && !s->idr_sps_seen && !s->idr_pps_seen) {
+            if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) {
-            if (ctx->par_out->extradata && (ret=alloc_and_copy(out,
+                if (ctx->par_out->extradata)
-                               ctx->par_out->extradata, ctx->par_out->extradata_size,
+                    count_or_copy(&out, &out_size, ctx->par_out->extradata,
-                               -1)) < 0)
+                                  ctx->par_out->extradata_size, -1, j);
-                goto fail;
+                new_idr = 0;
-            s->new_idr = 0;
        /* if only SPS has been seen, also insert PPS */
-        } else if (s->new_idr && unit_type == H264_NAL_IDR_SLICE && s->idr_sps_seen && !s->idr_pps_seen) {
+            } else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) {
            if (!s->pps_size) {
-                av_log(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n");
+                    LOG_ONCE(ctx, AV_LOG_WARNING, "PPS not present in the stream, nor in AVCC, stream may be unreadable\n");
-            } else if ((ret = alloc_and_copy(out,
+                } else {
-                                        s->pps, s->pps_size,
+                    count_or_copy(&out, &out_size, s->pps, s->pps_size, -1, j);
-                                        -1)) < 0)
+                }
-                goto fail;
        }
-            if ((ret=alloc_and_copy(out, buf, nal_size, unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS)) < 0)
+            count_or_copy(&out, &out_size, buf, nal_size,
-                goto fail;
+                          unit_type == H264_NAL_SPS || unit_type == H264_NAL_PPS, j);
-            if (!s->new_idr && unit_type == H264_NAL_SLICE) {
+            if (!new_idr && unit_type == H264_NAL_SLICE) {
-                s->new_idr = 1;
+                new_idr  = 1;
-                s->idr_sps_seen = 0;
+                sps_seen = 0;
-                s->idr_pps_seen = 0;
+                pps_seen = 0;
            }
        buf        += nal_size;
    } while (buf < buf_end);
-    ret = av_packet_copy_props(out, in);
+        if (!j) {
+            if (out_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
+            ret = av_new_packet(opkt, out_size);
+            if (ret < 0)
+                goto fail;
+            out = opkt->data;
+        }
+    }
+#undef LOG_ONCE
+    av_assert1(out_size == opkt->size);
+    s->new_idr      = new_idr;
+    s->idr_sps_seen = sps_seen;
+    s->idr_pps_seen = pps_seen;
+    ret = av_packet_copy_props(opkt, in);
    if (ret < 0)
        goto fail;
 fail:
    if (ret < 0)
-        av_packet_unref(out);
+        av_packet_unref(opkt);
    av_packet_free(&in);
    return ret;