[FFmpeg-devel] [PATCH] avcodec/av1_metadata: don't store the inserted TD OBU in stack

Fri Apr 23 23:18:49 EEST 2021

On 4/23/2021 5:00 PM, Andreas Rheinhardt wrote:
> James Almer:
>> Fixes: stack-use-after-return
>> Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-5931515701755904
>> Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6105676541722624
>>
>> Signed-off-by: James Almer <jamrial at gmail.com>
>> ---
>>   libavcodec/av1_metadata_bsf.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/libavcodec/av1_metadata_bsf.c b/libavcodec/av1_metadata_bsf.c
>> index 328db5c0da..b1ae364431 100644
>> --- a/libavcodec/av1_metadata_bsf.c
>> +++ b/libavcodec/av1_metadata_bsf.c
>> @@ -28,6 +28,7 @@ typedef struct AV1MetadataContext {
>>       CBSBSFContext common;
>>   
>>       int td;
>> +    AV1RawOBU td_obu;
>>   
>>       int color_primaries;
>>       int transfer_characteristics;
>> @@ -107,7 +108,7 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
>>                                           CodedBitstreamFragment *frag)
>>   {
>>       AV1MetadataContext *ctx = bsf->priv_data;
>> -    AV1RawOBU td, *obu;
>> +    AV1RawOBU *obu;
>>       int err, i;
>>   
>>       for (i = 0; i < frag->nb_units; i++) {
>> @@ -124,12 +125,12 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
>>           if (ctx->td == BSF_ELEMENT_REMOVE)
>>               ff_cbs_delete_unit(frag, 0);
>>       } else if (pkt && ctx->td == BSF_ELEMENT_INSERT) {
>> -        td = (AV1RawOBU) {
>> +        ctx->td_obu = (AV1RawOBU) {
>>               .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
>>           };
> 
> I think you can move the initialization to init. LGTM anyway.

Will do that and apply. Thanks

> 
>>   
>>           err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER,
>> -                                         &td, NULL);
>> +                                         &ctx->td_obu, NULL);
>>           if (err < 0) {
>>               av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n");
>>               return err;
>>
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> 