Commit e813df4f authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec: Avoid splitting side data repeatedly

Fixes Timeout
Fixes: 508/clusterfuzz-testcase-6245747678773248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 523205ce
...@@ -462,7 +462,32 @@ int av_packet_split_side_data(AVPacket *pkt){ ...@@ -462,7 +462,32 @@ int av_packet_split_side_data(AVPacket *pkt){
} }
return 0; return 0;
} }
#endif
#if FF_API_MERGE_SD
int ff_packet_split_and_drop_side_data(AVPacket *pkt){
if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){
int i;
unsigned int size;
uint8_t *p;
p = pkt->data + pkt->size - 8 - 5;
for (i=1; ; i++){
size = AV_RB32(p);
if (size>INT_MAX - 5 || p - pkt->data < size)
return 0;
if (p[4]&128)
break;
if (p - pkt->data < size + 5)
return 0;
p-= size+5;
}
pkt->size = p - pkt->data - size;
av_assert0(pkt->size >= 0);
return 1;
}
return 0;
}
#endif #endif
uint8_t *av_packet_pack_dictionary(AVDictionary *dict, int *size) uint8_t *av_packet_pack_dictionary(AVDictionary *dict, int *size)
......
...@@ -392,7 +392,9 @@ static int decode_simple_internal(AVCodecContext *avctx, AVFrame *frame) ...@@ -392,7 +392,9 @@ static int decode_simple_internal(AVCodecContext *avctx, AVFrame *frame)
tmp = *pkt; tmp = *pkt;
#if FF_API_MERGE_SD #if FF_API_MERGE_SD
FF_DISABLE_DEPRECATION_WARNINGS FF_DISABLE_DEPRECATION_WARNINGS
did_split = av_packet_split_side_data(&tmp); did_split = avci->compat_decode_partial_size ?
ff_packet_split_and_drop_side_data(&tmp) :
av_packet_split_side_data(&tmp);
if (did_split) { if (did_split) {
ret = extract_packet_props(avctx->internal, &tmp); ret = extract_packet_props(avctx->internal, &tmp);
...@@ -961,6 +963,7 @@ int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub, ...@@ -961,6 +963,7 @@ int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub,
AVPacket *avpkt) AVPacket *avpkt)
{ {
int i, ret = 0; int i, ret = 0;
AVCodecInternal *avci = avctx->internal;
if (!avpkt->data && avpkt->size) { if (!avpkt->data && avpkt->size) {
av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n"); av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n");
...@@ -981,7 +984,9 @@ int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub, ...@@ -981,7 +984,9 @@ int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub,
AVPacket tmp = *avpkt; AVPacket tmp = *avpkt;
#if FF_API_MERGE_SD #if FF_API_MERGE_SD
FF_DISABLE_DEPRECATION_WARNINGS FF_DISABLE_DEPRECATION_WARNINGS
int did_split = av_packet_split_side_data(&tmp); int did_split = avci->compat_decode_partial_size ?
ff_packet_split_and_drop_side_data(&tmp) :
av_packet_split_side_data(&tmp);
//apply_param_change(avctx, &tmp); //apply_param_change(avctx, &tmp);
if (did_split) { if (did_split) {
......
...@@ -356,6 +356,10 @@ int ff_set_sar(AVCodecContext *avctx, AVRational sar); ...@@ -356,6 +356,10 @@ int ff_set_sar(AVCodecContext *avctx, AVRational sar);
int ff_side_data_update_matrix_encoding(AVFrame *frame, int ff_side_data_update_matrix_encoding(AVFrame *frame,
enum AVMatrixEncoding matrix_encoding); enum AVMatrixEncoding matrix_encoding);
#if FF_API_MERGE_SD
int ff_packet_split_and_drop_side_data(AVPacket *pkt);
#endif
/** /**
* Select the (possibly hardware accelerated) pixel format. * Select the (possibly hardware accelerated) pixel format.
* This is a wrapper around AVCodecContext.get_format() and should be used * This is a wrapper around AVCodecContext.get_format() and should be used
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment