Packets without data need to be handled specially in order to avoid
undefined reads. Pass these packets through unchanged in case there
are no cached packets* and error out in case there are cached packets:
Returning the packet would mess with the order of the packets;
if one returned the zero-sized packet before the superframe that will
be created from the packets in the cache, the zero-sized packet would
overtake the packets in the cache; if one returned the packet later,
the packets that complete the superframe will overtake the zero-sized
packet.
*: This case e.g. encompasses the scenario of updated extradata
side-data at the end.
Fixes: Out of array read
Fixes: 45722/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_fuzzer-5173378975137792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This patch is analogous to 20f972701806be20a77f808db332d9489343bb78:
It hides the internal part of AVBitStreamFilter by adding a new
internal structure FFBitStreamFilter (declared in bsf_internal.h)
that has an AVBitStreamFilter as its first member; the internal
part of AVBitStreamFilter is moved to this new structure.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Up until now, the vp9_superframe bsf used distinct packets for input and
output. But at no point in the bsf are the input and output packets used
at the same time (except during a call to av_packet_move_ref()), so that
one can avoid using two packets if one switches to ff_bsf_get_packet_ref
at the same time. This also saves one malloc+free of an AVPacket
structure per filtered packet.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
This reverts commit 7a02b364b6.
The packet fetched by ff_bsf_get_packet() and ff_bsf_get_packet_ref()
is now guaranteed to be reference counted.
Reviewed-by: wm4 <nfxjfg@googlemail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
Also use av_packet_move_ref() to cache them instead of copying
pointers.
Fixes invalid reads since e1bc3f4396.
Signed-off-by: James Almer <jamrial@gmail.com>
Anton Khirnov
Andreas Rheinhardt
Andreas Rheinhardt
Fu Linjie
James Almer
Ronald S. Bultje