From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
Date: Wed, 20 Mar 2024 03:19:26 +0100
Message-ID: <20240320021926.3759-3-michael@niedermayer.cc> (raw)
In-Reply-To: <20240320021926.3759-1-michael@niedermayer.cc>
This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
Fixes: out of array write
Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
The bsf code performs 2 iterations, the first counts how much space is needed
than allocates
and the 2nd pass copies into teh allocated space
The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
the 2nd pass in a different state then the first
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bsf/h264_mp4toannexb.c | 83 +++----------------------------
tests/fate/h264.mak | 5 --
2 files changed, 6 insertions(+), 82 deletions(-)
diff --git a/libavcodec/bsf/h264_mp4toannexb.c b/libavcodec/bsf/h264_mp4toannexb.c
index 120241c892..b99de39ce9 100644
--- a/libavcodec/bsf/h264_mp4toannexb.c
+++ b/libavcodec/bsf/h264_mp4toannexb.c
@@ -36,8 +36,6 @@ typedef struct H264BSFContext {
uint8_t *pps;
int sps_size;
int pps_size;
- unsigned sps_buf_size;
- unsigned pps_buf_size;
uint8_t length_size;
uint8_t new_idr;
uint8_t idr_sps_seen;
@@ -133,33 +131,16 @@ pps:
memset(out + total_size, 0, padding);
if (pps_offset) {
- uint8_t *sps;
-
+ s->sps = out;
s->sps_size = pps_offset;
- sps = av_fast_realloc(s->sps, &s->sps_buf_size, s->sps_size);
- if (!sps) {
- av_free(out);
- return AVERROR(ENOMEM);
- }
- s->sps = sps;
- memcpy(s->sps, out, s->sps_size);
} else {
av_log(ctx, AV_LOG_WARNING,
"Warning: SPS NALU missing or invalid. "
"The resulting stream may not play.\n");
}
if (pps_offset < total_size) {
- uint8_t *pps;
-
+ s->pps = out + pps_offset;
s->pps_size = total_size - pps_offset;
- pps = av_fast_realloc(s->pps, &s->pps_buf_size, s->pps_size);
- if (!pps) {
- av_freep(&s->sps);
- av_free(out);
- return AVERROR(ENOMEM);
- }
- s->pps = pps;
- memcpy(s->pps, out + pps_offset, s->pps_size);
} else {
av_log(ctx, AV_LOG_WARNING,
"Warning: PPS NALU missing or invalid. "
@@ -179,35 +160,6 @@ pps:
return 0;
}
-static int h264_mp4toannexb_save_ps(uint8_t **dst, int *dst_size,
- unsigned *dst_buf_size,
- const uint8_t *nal, uint32_t nal_size,
- int first)
-{
- static const uint8_t nalu_header[4] = { 0, 0, 0, 1 };
- const int start_code_size = sizeof(nalu_header);
- uint8_t *ptr;
- uint32_t size;
-
- if (first)
- size = 0;
- else
- size = *dst_size;
-
- ptr = av_fast_realloc(*dst, dst_buf_size, size + nal_size + start_code_size);
- if (!ptr)
- return AVERROR(ENOMEM);
-
- memcpy(ptr + size, nalu_header, start_code_size);
- size += start_code_size;
- memcpy(ptr + size, nal, nal_size);
- size += nal_size;
-
- *dst = ptr;
- *dst_size = size;
- return 0;
-}
-
static int h264_mp4toannexb_init(AVBSFContext *ctx)
{
int extra_size = ctx->par_in->extradata_size;
@@ -268,9 +220,6 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
if (j) \
av_log(__VA_ARGS__)
for (int j = 0; j < 2; j++) {
- int sps_count = 0;
- int pps_count = 0;
-
buf = in->data;
new_idr = s->new_idr;
sps_seen = s->idr_sps_seen;
@@ -301,18 +250,8 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
if (unit_type == H264_NAL_SPS) {
sps_seen = new_idr = 1;
- if (!j) {
- h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size,
- buf, nal_size, !sps_count);
- sps_count++;
- }
} else if (unit_type == H264_NAL_PPS) {
pps_seen = new_idr = 1;
- if (!j) {
- h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size,
- buf, nal_size, !pps_count);
- pps_count++;
- }
/* if SPS has not been seen yet, prepend the AVCC one to PPS */
if (!sps_seen) {
if (!s->sps_size) {
@@ -332,10 +271,9 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
/* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */
if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) {
- if (s->sps_size)
- count_or_copy(&out, &out_size, s->sps, s->sps_size, PS_OUT_OF_BAND, j);
- if (s->pps_size)
- count_or_copy(&out, &out_size, s->pps, s->pps_size, PS_OUT_OF_BAND, j);
+ if (ctx->par_out->extradata)
+ count_or_copy(&out, &out_size, ctx->par_out->extradata,
+ ctx->par_out->extradata_size, PS_OUT_OF_BAND, j);
new_idr = 0;
/* if only SPS has been seen, also insert PPS */
} else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) {
@@ -351,7 +289,7 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
else
ps = PS_NONE;
count_or_copy(&out, &out_size, buf, nal_size, ps, j);
- if (unit_type == H264_NAL_SLICE) {
+ if (!new_idr && unit_type == H264_NAL_SLICE) {
new_idr = 1;
sps_seen = 0;
pps_seen = 0;
@@ -391,14 +329,6 @@ fail:
return ret;
}
-static void h264_mp4toannexb_close(AVBSFContext *ctx)
-{
- H264BSFContext *s = ctx->priv_data;
-
- av_freep(&s->sps);
- av_freep(&s->pps);
-}
-
static void h264_mp4toannexb_flush(AVBSFContext *ctx)
{
H264BSFContext *s = ctx->priv_data;
@@ -418,6 +348,5 @@ const FFBitStreamFilter ff_h264_mp4toannexb_bsf = {
.priv_data_size = sizeof(H264BSFContext),
.init = h264_mp4toannexb_init,
.filter = h264_mp4toannexb_filter,
- .close = h264_mp4toannexb_close,
.flush = h264_mp4toannexb_flush,
};
diff --git a/tests/fate/h264.mak b/tests/fate/h264.mak
index 674054560b..d0c57eabe9 100644
--- a/tests/fate/h264.mak
+++ b/tests/fate/h264.mak
@@ -227,7 +227,6 @@ FATE_H264-$(call FRAMECRC, MOV, H264) += fate-h264-twofields-packet
FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF SCALE_FILTER) += fate-h264-bsf-mp4toannexb-new-extradata
FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF) += fate-h264-bsf-mp4toannexb \
- fate-h264-bsf-mp4toannexb-2 \
fate-h264_mp4toannexb_ticket5927 \
fate-h264_mp4toannexb_ticket5927_2 \
@@ -432,10 +431,6 @@ fate-h264-conformance-sva_nl1_b: CMD = framecrc -i $(TARGET_SAM
fate-h264-conformance-sva_nl2_e: CMD = framecrc -i $(TARGET_SAMPLES)/h264-conformance/SVA_NL2_E.264
fate-h264-bsf-mp4toannexb: CMD = md5 -i $(TARGET_SAMPLES)/h264/interlaced_crop.mp4 -c:v copy -f h264
-# First IDR is prefixed by SPS/PPS
-fate-h264-bsf-mp4toannexb-2: CMD = md5 -i $(TARGET_SAMPLES)/h264/ps_prefix_first_idr.mp4 -c:v copy -f h264
-fate-h264-bsf-mp4toannexb-2: CMP = oneline
-fate-h264-bsf-mp4toannexb-2: REF = cffcfa6a2d0b58c9de1f5785f099f41d
fate-h264-bsf-mp4toannexb-new-extradata: CMD = stream_remux mov $(TARGET_SAMPLES)/h264/extradata-reload-multi-stsd.mov "" h264 "-map 0:v"
fate-h264_mp4toannexb_ticket5927: CMD = transcode "mp4" $(TARGET_SAMPLES)/h264/thezerotheorem-cut.mp4 \
h264 "-c:v copy -bsf:v h264_mp4toannexb -an" "-c:v copy"
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-03-20 2:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-20 2:19 [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 Michael Niedermayer
2024-03-20 2:19 ` Michael Niedermayer [this message]
2024-03-20 6:41 ` [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames" Zhao Zhili
2024-03-20 13:02 ` Michael Niedermayer
2024-03-20 17:53 ` Zhao Zhili
2024-03-20 19:51 ` Michael Niedermayer
2024-03-25 17:17 ` [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240320021926.3759-3-michael@niedermayer.cc \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git