[FFmpeg-devel] [PATCH 3/3] avcodec/ivi: Allocate bufs later

Michael Niedermayer michael at niedermayer.cc
Wed Aug 14 10:00:08 EEST 2019


Fixes: Timeout (24sec->2sec)
Fixes: 15951/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5095433266790400

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/ivi.c | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c
index 73fcf51b7b..18192cbf23 100644
--- a/libavcodec/ivi.c
+++ b/libavcodec/ivi.c
@@ -354,23 +354,11 @@ av_cold int ff_ivi_init_planes(AVCodecContext *avctx, IVIPlaneDesc *planes, cons
             band->height   = b_height;
             band->pitch    = width_aligned;
             band->aheight  = height_aligned;
-            band->bufs[0]  = av_mallocz(buf_size);
-            band->bufs[1]  = av_mallocz(buf_size);
+            av_assert0(!band->bufs[0] && !band->bufs[1] &&
+                       !band->bufs[2] && !band->bufs[3]);
             band->bufsize  = buf_size/2;
-            if (!band->bufs[0] || !band->bufs[1])
-                return AVERROR(ENOMEM);
+            av_assert0(buf_size % 2 == 0);
 
-            /* allocate the 3rd band buffer for scalability mode */
-            if (cfg->luma_bands > 1) {
-                band->bufs[2] = av_mallocz(buf_size);
-                if (!band->bufs[2])
-                    return AVERROR(ENOMEM);
-            }
-            if (is_indeo4) {
-                band->bufs[3]  = av_mallocz(buf_size);
-                if (!band->bufs[3])
-                    return AVERROR(ENOMEM);
-            }
             /* reset custom vlc */
             planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0;
         }
@@ -945,6 +933,15 @@ static void ivi_output_plane(IVIPlaneDesc *plane, uint8_t *dst, ptrdiff_t dst_pi
     }
 }
 
+static void *prepare_buf(IVI45DecContext *ctx, IVIBandDesc *band, int i)
+{
+    if (ctx->pic_conf.luma_bands <= 1 && i == 2)
+        return NULL;
+    if (!band->bufs[i])
+        band->bufs[i] = av_mallocz(2 * band->bufsize);
+    return band->bufs[i];
+}
+
 /**
  *  Decode an Indeo 4 or 5 band.
  *
@@ -959,18 +956,22 @@ static int decode_band(IVI45DecContext *ctx,
     int         result, i, t, idx1, idx2, pos;
     IVITile     *tile;
 
-    band->buf     = band->bufs[ctx->dst_buf];
+    band->buf     = prepare_buf(ctx, band, ctx->dst_buf);
     if (!band->buf) {
         av_log(avctx, AV_LOG_ERROR, "Band buffer points to no data!\n");
         return AVERROR_INVALIDDATA;
     }
     if (ctx->is_indeo4 && ctx->frame_type == IVI4_FRAMETYPE_BIDIR) {
-        band->ref_buf   = band->bufs[ctx->b_ref_buf];
-        band->b_ref_buf = band->bufs[ctx->ref_buf];
+        band->ref_buf   = prepare_buf(ctx, band, ctx->b_ref_buf);
+        band->b_ref_buf = prepare_buf(ctx, band, ctx->ref_buf);
+        if (!band->b_ref_buf)
+            return AVERROR(ENOMEM);
     } else {
-        band->ref_buf   = band->bufs[ctx->ref_buf];
+        band->ref_buf   = prepare_buf(ctx, band, ctx->ref_buf);
         band->b_ref_buf = 0;
     }
+    if (!band->ref_buf)
+        return AVERROR(ENOMEM);
     band->data_ptr  = ctx->frame_data + (get_bits_count(&ctx->gb) >> 3);
 
     result = ctx->decode_band_hdr(ctx, band, avctx);
-- 
2.22.1



More information about the ffmpeg-devel mailing list