diff options
author | James Almer <jamrial@gmail.com> | 2021-04-22 13:15:03 -0300 |
---|---|---|
committer | James Almer <jamrial@gmail.com> | 2021-04-23 17:21:13 -0300 |
commit | 33f2144d2ff9efd3729db27ae34a5ff30d4ed534 (patch) | |
tree | a884e43496a702ca71fe4ac6b0c6cc2e6db7a5a5 | |
parent | efdb56450418933965dc6e27f0b1625d25e44a8c (diff) | |
download | ffmpeg-33f2144d2ff9efd3729db27ae34a5ff30d4ed534.tar.gz |
avcodec/av1_metadata: don't store the inserted TD OBU in stack
Fixes: stack-use-after-return
Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-5931515701755904
Fixes: clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6105676541722624
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: James Almer <jamrial@gmail.com>
-rw-r--r-- | libavcodec/av1_metadata_bsf.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/libavcodec/av1_metadata_bsf.c b/libavcodec/av1_metadata_bsf.c index 328db5c0da..1fb85d88b7 100644 --- a/libavcodec/av1_metadata_bsf.c +++ b/libavcodec/av1_metadata_bsf.c @@ -28,6 +28,7 @@ typedef struct AV1MetadataContext { CBSBSFContext common; int td; + AV1RawOBU td_obu; int color_primaries; int transfer_characteristics; @@ -107,12 +108,11 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt, CodedBitstreamFragment *frag) { AV1MetadataContext *ctx = bsf->priv_data; - AV1RawOBU td, *obu; int err, i; for (i = 0; i < frag->nb_units; i++) { if (frag->units[i].type == AV1_OBU_SEQUENCE_HEADER) { - obu = frag->units[i].content; + AV1RawOBU *obu = frag->units[i].content; err = av1_metadata_update_sequence_header(bsf, &obu->obu.sequence_header); if (err < 0) return err; @@ -124,12 +124,8 @@ static int av1_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt, if (ctx->td == BSF_ELEMENT_REMOVE) ff_cbs_delete_unit(frag, 0); } else if (pkt && ctx->td == BSF_ELEMENT_INSERT) { - td = (AV1RawOBU) { - .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER, - }; - err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER, - &td, NULL); + &ctx->td_obu, NULL); if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n"); return err; @@ -155,6 +151,12 @@ static const CBSBSFType av1_metadata_type = { static int av1_metadata_init(AVBSFContext *bsf) { + AV1MetadataContext *ctx = bsf->priv_data; + + ctx->td_obu = (AV1RawOBU) { + .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER, + }; + return ff_cbs_bsf_generic_init(bsf, &av1_metadata_type); } |