[FFmpeg-devel] [PATCH v2] avutil/avstring: shrink allocation from av_get_token to fit token

[FFmpeg-devel] [PATCH v2] avutil/avstring: shrink allocation from av_get_token to fit token

[Kacper Michajłow]

av_get_token() allocates an output buffer with the same size as the
input. Generally, this is harmless, but when the input string is large
and consists of many small tokens, calling av_get_token() repeatedly to
extract all tokens will significantly amplify memory allocations.

To fix this, after obtaining the return value, simply realloc the buffer
to the actual size needed for output string.

Fixes OOM when parsing filter graph string.
Fixes OSS-Fuzz: 394983446

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavutil/avstring.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavutil/avstring.c b/libavutil/avstring.c
index 875eb691db..281c5cdc88 100644
--- a/libavutil/avstring.c
+++ b/libavutil/avstring.c
@@ -142,7 +142,7 @@ end:
 
 char *av_get_token(const char **buf, const char *term)
 {
-    char *out     = av_malloc(strlen(*buf) + 1);
+    char *out     = av_realloc(NULL, strlen(*buf) + 1);
     char *ret     = out, *end = out;
     const char *p = *buf;
     if (!out)
@@ -172,7 +172,8 @@ char *av_get_token(const char **buf, const char *term)
 
     *buf = p;
 
-    return ret;
+    char *small_ret = av_realloc(ret, out - ret + 2);
+    return small_ret ? small_ret : ret;
 }
 
 char *av_strtok(char *s, const char *delim, char **saveptr)
-- 
2.47.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] avutil/avstring: shrink allocation from av_get_token to fit token

[Kacper Michajlow]

On Fri, 4 Jul 2025 at 20:52, Kacper Michajłow <kasper93@gmail.com> wrote:

> av_get_token() allocates an output buffer with the same size as the
> input. Generally, this is harmless, but when the input string is large
> and consists of many small tokens, calling av_get_token() repeatedly to
> extract all tokens will significantly amplify memory allocations.
>
> To fix this, after obtaining the return value, simply realloc the buffer
> to the actual size needed for output string.
>
> Fixes OOM when parsing filter graph string.
> Fixes OSS-Fuzz: 394983446
>
> Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
> ---
>  libavutil/avstring.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavutil/avstring.c b/libavutil/avstring.c
> index 875eb691db..281c5cdc88 100644
> --- a/libavutil/avstring.c
> +++ b/libavutil/avstring.c
> @@ -142,7 +142,7 @@ end:
>
>  char *av_get_token(const char **buf, const char *term)
>  {
> -    char *out     = av_malloc(strlen(*buf) + 1);
> +    char *out     = av_realloc(NULL, strlen(*buf) + 1);
>      char *ret     = out, *end = out;
>      const char *p = *buf;
>      if (!out)
> @@ -172,7 +172,8 @@ char *av_get_token(const char **buf, const char *term)
>
>      *buf = p;
>
> -    return ret;
> +    char *small_ret = av_realloc(ret, out - ret + 2);
> +    return small_ret ? small_ret : ret;
>  }
>
>  char *av_strtok(char *s, const char *delim, char **saveptr)
> --
> 2.47.2
>
>
Will apply later if there is no objection.

- Kacper
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".