From 66f8055c898887c33ab124ca5f00ee60bf5fcf19 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Mon, 18 Oct 2021 21:07:11 -0300
Subject: avcodec/libx264: copy unregistered data SEI messages to the input
 x264 picture

Fixes undefined behavior.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/libx264.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

(limited to 'libavcodec/libx264.c')

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index 507fee39f2..13cdd6a022 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -115,9 +115,6 @@ typedef struct X264Context {
      * encounter a frame with ROI side data.
      */
     int roi_warned;
-
-    void *sei_data;
-    int sei_data_size;
 } X264Context;
 
 static void X264_log(void *p, int level, const char *fmt, va_list args)
@@ -322,7 +319,6 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame,
 
     if (frame) {
         x264_sei_t *sei = &x4->pic.extra_sei;
-        sei->num_payloads = 0;
 
         for (i = 0; i < x4->pic.img.i_plane; i++) {
             x4->pic.img.plane[i]    = frame->data[i];
@@ -449,20 +445,24 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame,
 
         for (int j = 0; j < frame->nb_side_data; j++) {
             AVFrameSideData *side_data = frame->side_data[j];
+            unsigned int sei_data_size = 0;
             void *tmp;
             x264_sei_payload_t *sei_payload;
             if (side_data->type != AV_FRAME_DATA_SEI_UNREGISTERED)
                 continue;
-            tmp = av_fast_realloc(x4->sei_data, &x4->sei_data_size, (sei->num_payloads + 1) * sizeof(*sei_payload));
+            tmp = av_fast_realloc(sei->payloads, &sei_data_size, (sei->num_payloads + 1) * sizeof(*sei_payload));
             if (!tmp) {
-                av_freep(&x4->pic.extra_sei.payloads);
                 av_freep(&x4->pic.prop.quant_offsets);
                 return AVERROR(ENOMEM);
             }
-            x4->sei_data = tmp;
-            sei->payloads = x4->sei_data;
+            sei->payloads = tmp;
+            sei->sei_free = av_free;
             sei_payload = &sei->payloads[sei->num_payloads];
-            sei_payload->payload = side_data->data;
+            sei_payload->payload = av_memdup(side_data->data, side_data->size);
+            if (!sei_payload->payload) {
+                av_freep(&x4->pic.prop.quant_offsets);
+                return AVERROR(ENOMEM);
+            }
             sei_payload->payload_size = side_data->size;
             sei_payload->payload_type = SEI_TYPE_USER_DATA_UNREGISTERED;
             sei->num_payloads++;
@@ -533,8 +533,6 @@ static av_cold int X264_close(AVCodecContext *avctx)
     x264_param_cleanup(&x4->params);
 #endif
 
-    av_freep(&x4->sei_data);
-
     if (x4->enc) {
         x264_encoder_close(x4->enc);
         x4->enc = NULL;
-- 
cgit v1.2.3