The SEI message read/write functions are called
via function pointers where the SEI message-specific
context is passed as void*. But the actual function
definitions use a pointer to their proper context
in place of void*, making the calls undefined behaviour.
Clang UBSan 17 warns about this.
This commit fixes this by adding wrapper functions
(created via macros) that have the right type that
call the actual functions. This reduced the number of failing
FATE tests with UBSan from 164 to 85 here.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().
Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.
This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.
Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
This commit uses smaller types for some static const arrays to reduce
their size in case the entries can be represented in the smaller type.
The biggest savings came from inv_map_table in vp9.c.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
This follows the spec definition, and removes a field from the relevant
structs.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
The earlier code used the most recent non-auxiliary slice to determine
whether an auxiliary slice has the syntax of an IDR slice, even when
the most recent slice was from a slice of a redundant frame. Now only
slices of the primary coded picture are used, as the specifications
mandate.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
64c50c0e97 declared support for decomposing
them but omitted to implement it; this adds an implementation.
Also do the same for end-of-stream NAL units, since they are equivalent.
Fixes crash noticed in the cbs_userdata patchset.
====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000026c89 at pc 0x00010725d37b bp 0x7ffeea04e750 sp 0x7ffeea04e748
READ of size 4 at 0x609000026c89 thread T0
#0 0x10725d37a in ff_cbs_read_unsigned get_bits.h:274
#1 0x1072d2767 in ff_cbs_read_a53_user_data cbs_misc_syntax_template.c:119
#2 0x1078251a7 in h264_metadata_filter h264_metadata_bsf.c:595
#3 0x105c1321d in output_packet ffmpeg.c:853
0x609000026c89 is located 1 bytes to the right of 8-byte region [0x609000026c80,0x609000026c88)
allocated by thread T0 here:
#0 0x10aef08d7 in wrap_posix_memalign (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x578d7)
#1 0x10aca95e6 in av_malloc mem.c:87
#2 0x10ac545fe in av_buffer_allocz buffer.c:72
#3 0x107263b27 in cbs_h264_read_nal_unit cbs_h264_syntax_template.c:722
#4 0x10725b688 in cbs_read_fragment_content cbs.c:155
Signed-off-by: Aman Gupta <aman@tmm1.net>
A recent version of the standard changed the max and default to 15, from
16 in older versions. This updates the default to 15 to match, but the
max stays as 16 so that we don't reject older streams.
The type of the result of a shift operation is unaffected by the type of
the right operand, so some existing code overflows with undefined behaviour
when the element length is 32. Add a helper macro to calculate the maximum
value correctly and then use it everywhere this pattern appears.
Found-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>