[FFmpeg-devel] [PATCH v2] avutil/avstring: shrink allocation from av_get_token to fit token

* [FFmpeg-devel] [PATCH v2] avutil/avstring: shrink allocation from av_get_token to fit token
@ 2025-07-04 18:52 Kacper Michajłow
  0 siblings, 0 replies; only message in thread
From: Kacper Michajłow @ 2025-07-04 18:52 UTC (permalink / raw)
  To: ffmpeg-devel; +Cc: Kacper Michajłow

av_get_token() allocates an output buffer with the same size as the
input. Generally, this is harmless, but when the input string is large
and consists of many small tokens, calling av_get_token() repeatedly to
extract all tokens will significantly amplify memory allocations.

To fix this, after obtaining the return value, simply realloc the buffer
to the actual size needed for output string.

Fixes OOM when parsing filter graph string.
Fixes OSS-Fuzz: 394983446

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavutil/avstring.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavutil/avstring.c b/libavutil/avstring.c
index 875eb691db..281c5cdc88 100644
--- a/libavutil/avstring.c
+++ b/libavutil/avstring.c
@@ -142,7 +142,7 @@ end:
 
 char *av_get_token(const char **buf, const char *term)
 {
-    char *out     = av_malloc(strlen(*buf) + 1);
+    char *out     = av_realloc(NULL, strlen(*buf) + 1);
     char *ret     = out, *end = out;
     const char *p = *buf;
     if (!out)
@@ -172,7 +172,8 @@ char *av_get_token(const char **buf, const char *term)
 
     *buf = p;
 
-    return ret;
+    char *small_ret = av_realloc(ret, out - ret + 2);
+    return small_ret ? small_ret : ret;
 }
 
 char *av_strtok(char *s, const char *delim, char **saveptr)
-- 
2.47.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] only message in thread