From 6f88b90f6c77c5e419736edfe6e2a6fe216dc3d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Fri, 4 Jul 2025 19:56:59 +0200 Subject: [PATCH] avutil/avstring: shrink allocation from av_get_token to fit token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit av_get_token() allocates an output buffer with the same size as the input. Generally, this is harmless, but when the input string is large and consists of many small tokens, calling av_get_token() repeatedly to extract all tokens will significantly amplify memory allocations. To fix this, after obtaining the return value, simply realloc the buffer to the actual size needed for output string. Fixes OOM when parsing filter graph string. Fixes OSS-Fuzz: 394983446 Signed-off-by: Kacper Michajłow --- libavutil/avstring.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 875eb691db..281c5cdc88 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -142,7 +142,7 @@ end: char *av_get_token(const char **buf, const char *term) { - char *out = av_malloc(strlen(*buf) + 1); + char *out = av_realloc(NULL, strlen(*buf) + 1); char *ret = out, *end = out; const char *p = *buf; if (!out) @@ -172,7 +172,8 @@ char *av_get_token(const char **buf, const char *term) *buf = p; - return ret; + char *small_ret = av_realloc(ret, out - ret + 2); + return small_ret ? small_ret : ret; } char *av_strtok(char *s, const char *delim, char **saveptr)