aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Almer <jamrial@gmail.com>2021-04-22 13:15:03 -0300
committerJames Almer <jamrial@gmail.com>2021-04-23 17:21:13 -0300
commit33f2144d2ff9efd3729db27ae34a5ff30d4ed534 (patch)
treea884e43496a702ca71fe4ac6b0c6cc2e6db7a5a5
parentefdb56450418933965dc6e27f0b1625d25e44a8c (diff)
downloadffmpeg-33f2144d2ff9efd3729db27ae34a5ff30d4ed534.tar.gz
avcodec/av1_metadata: don't store the inserted TD OBU in stack
Fixes: stack-use-after-return Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-5931515701755904 Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6105676541722624 Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> Signed-off-by: James Almer <jamrial@gmail.com>
-rw-r--r--libavcodec/av1_metadata_bsf.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/libavcodec/av1_metadata_bsf.c b/libavcodec/av1_metadata_bsf.c
index 328db5c0da..1fb85d88b7 100644
--- a/libavcodec/av1_metadata_bsf.c
+++ b/libavcodec/av1_metadata_bsf.c
@@ -28,6 +28,7 @@ typedef struct AV1MetadataContext {
CBSBSFContext common;
int td;
+ AV1RawOBU td_obu;
int color_primaries;
int transfer_characteristics;
@@ -107,12 +108,11 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
CodedBitstreamFragment *frag)
{
AV1MetadataContext *ctx = bsf->priv_data;
- AV1RawOBU td, *obu;
int err, i;
for (i = 0; i < frag->nb_units; i++) {
if (frag->units[i].type == AV1_OBU_SEQUENCE_HEADER) {
- obu = frag->units[i].content;
+ AV1RawOBU *obu = frag->units[i].content;
err = av1_metadata_update_sequence_header(bsf, &obu->obu.sequence_header);
if (err < 0)
return err;
@@ -124,12 +124,8 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
if (ctx->td == BSF_ELEMENT_REMOVE)
ff_cbs_delete_unit(frag, 0);
} else if (pkt && ctx->td == BSF_ELEMENT_INSERT) {
- td = (AV1RawOBU) {
- .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
- };
-
err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER,
- &td, NULL);
+ &ctx->td_obu, NULL);
if (err < 0) {
av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n");
return err;
@@ -155,6 +151,12 @@ static const CBSBSFType av1_metadata_type = {
static int av1_metadata_init(AVBSFContext *bsf)
{
+ AV1MetadataContext *ctx = bsf->priv_data;
+
+ ctx->td_obu = (AV1RawOBU) {
+ .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER,
+ };
+
return ff_cbs_bsf_generic_init(bsf, &av1_metadata_type);
}