1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-19 05:49:09 +02:00

133 Commits

Author SHA1 Message Date
Timo Rothenpieler
7945d30e91 avutil/mem: limit alignment to maximum simd align
FFmpeg has instances of DECLARE_ALIGNED(32, ...) in a lot of structs,
which then end up heap-allocated.
By declaring any variable in a struct, or tree of structs, to be 32 byte
aligned, it allows the compiler to safely assume the entire struct
itself is also 32 byte aligned.

This might make the compiler emit code which straight up crashes or
misbehaves in other ways, and at least in one instances is now
documented to actually do (see ticket 10549 on trac).
The issue there is that an unrelated variable in SingleChannelElement is
declared to have an alignment of 32 bytes. So if the compiler does a copy
in decode_cpe() with avx instructions, but ffmpeg is built with
--disable-avx, this results in a crash, since the memory is only 16 byte
aligned.

Mind you, even if the compiler does not emit avx instructions, the code
is still invalid and could misbehave. It just happens not to. Declaring
any variable in a struct with a 32 byte alignment promises 32 byte
alignment of the whole struct to the compiler.

This patch limits the maximum alignment to the maximum possible simd
alignment according to configure.
While not perfect, it at the very least gets rid of a lot of UB, by
matching up the maximum DECLARE_ALIGNED value with the alignment of heap
allocations done by lavu.
2024-02-27 19:41:09 +01:00
Timo Rothenpieler
4618b5ebb9 Revert "avutil/mem: limit alignment to maximum simd align"
Patch was not intended to be part of the set it got pushed with.

This reverts commit 6154137b186734961726ae538ab5cbe287bab163.
2024-02-09 20:20:03 +01:00
Timo Rothenpieler
6154137b18 avutil/mem: limit alignment to maximum simd align
FFmpeg has instances of DECLARE_ALIGNED(32, ...) in a lot of structs,
which then end up heap-allocated.
By declaring any variable in a struct, or tree of structs, to be 32 byte
aligned, it allows the compiler to safely assume the entire struct
itself is also 32 byte aligned.

This might make the compiler emit code which straight up crashes or
misbehaves in other ways, and at least in one instances is now
documented to actually do (see ticket 10549 on trac).
The issue there is that an unrelated variable in SingleChannelElement is
declared to have an alignment of 32 bytes. So if the compiler does a copy
in decode_cpe() with avx instructions, but ffmpeg is built with
--disable-avx, this results in a crash, since the memory is only 16 byte
aligned.

Mind you, even if the compiler does not emit avx instructions, the code
is still invalid and could misbehave. It just happens not to. Declaring
any variable in a struct with a 32 byte alignment promises 32 byte
alignment of the whole struct to the compiler.

This patch limits the maximum alignment to the maximum possible simd
alignment according to configure.
While not perfect, it at the very least gets rid of a lot of UB, by
matching up the maximum DECLARE_ALIGNED value with the alignment of heap
allocations done by lavu.
2024-02-09 18:11:49 +01:00
James Almer
dc1b8135e0 avutil: remove FF_API_AV_MALLOCZ_ARRAY
Signed-off-by: James Almer <jamrial@gmail.com>
2023-02-09 15:35:14 +01:00
Andreas Rheinhardt
aca09ed7d4 avutil/mem: Handle fast allocations near UINT_MAX properly
av_fast_realloc and av_fast_mallocz? store the size of
the objects they allocate in an unsigned. Yet they overallocate
and currently they can allocate more than UINT_MAX bytes
in case a user has requested a size of about UINT_MAX * 16 / 17
or more if SIZE_MAX > UINT_MAX (and if the user increased
max_alloc_size via av_max_alloc). In this case it is impossible
to store the true size of the buffer via the unsigned*;
future requests are likely to use the (re)allocation codepath
even if the buffer is actually large enough because of
the incorrect size.

Fix this by ensuring that the actually allocated size
always fits into an unsigned. (This entails erroring out
in case the user requested more than UINT_MAX.)

Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-07-06 22:53:15 +02:00
Andreas Rheinhardt
636631d9db Remove unnecessary libavutil/(avutil|common|internal).h inclusions
Some of these were made possible by moving several common macros to
libavutil/macros.h.

While just at it, also improve the other headers a bit.

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-02-24 12:56:49 +01:00
Andreas Rheinhardt
8d5de914d3 avutil/mem: Deprecate av_mallocz_array()
It does the same as av_calloc(), so one of them should be removed.
Given that av_calloc() has the shorter name, it is retained.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-09-20 01:04:09 +02:00
Andreas Rheinhardt
f9126b62b6 avutil/mem: Reinline av_size_mult() internally
Since 580e168a945b65100ec2c25433f33bfacfe9f7be, av_size_mult() is no
longer inlined; on systems where interposing is a thing, this also
inhibits the compiler from inlining said function into the internal
callers of said function, although inlining such a small function is
typically beneficial: With GCC 10.3 on Ubuntu x64 and -O3 this decreases
the size of av_realloc_array from 91B to 23B, from 129B to 81B for
av_realloc_f and from 77B to 23B for each of av_malloc_array,
av_mallocz_array and av_calloc.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-08-12 15:25:58 +02:00
Andreas Rheinhardt
2934a4b9a5 Remove unnecessary avassert.h inclusions
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-07-22 15:02:30 +02:00
Anton Khirnov
580e168a94 lavu/mem: un-inline av_size_mult()
There seems to be no compelling reason for it to be inline.
2021-06-11 19:42:47 +02:00
James Almer
918fc9a0ed avutil/mem: check for max_alloc_size in av_fast_malloc()
This puts av_fast_malloc*() in line with av_fast_realloc().

Signed-off-by: James Almer <jamrial@gmail.com>
2021-05-27 10:29:59 -03:00
James Almer
786be70e28 avutil/mem: make ff_fast_malloc() internal to mem.c
Signed-off-by: James Almer <jamrial@gmail.com>
2021-05-27 10:29:52 -03:00
James Almer
be96f4b616 avutil/mem: make max_alloc_size an atomic type
Signed-off-by: James Almer <jamrial@gmail.com>
2021-05-23 11:26:22 -03:00
Andreas Rheinhardt
8b83a4a885 avutil/mem: Also poison new av_realloc-allocated blocks
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-04-30 10:24:32 +02:00
Andreas Rheinhardt
731c775898 avutil/mem: Use max_alloc_size as-is
The size of a single allocation performed by av_malloc() or av_realloc()
is supposed to be bounded by max_alloc_size, which defaults to INT_MAX
and can be set by the user; yet currently this is not completely
honoured: The actual value used is max_alloc_size - 32. How this came
to be can only be understood historically:

a) 0ecca7a49f8e254c12a3a1de048d738bfbb614c6 disallowed allocations
> INT_MAX. At that time the size parameter of av_malloc() was an
unsigned and the commentary added ("lets disallow possible ambiguous
cases") indicates that this was done as a precaution against calling the
functions with negative int values. Genuinely limiting the size of
allocations to INT_MAX doesn't seem to have been the intention given
that at this time the memalign hack introduced in commit
da9b170c6f06184a5114dc66afb8385cd0ffff83 (which when enabled increased
the size of allocations slightly so that one can return a correctly
aligned pointer that actually does not point to the beginning of the
allocated buffer) was already present.
b) Said memalign hack allocated 17 bytes more than actually desired, yet
allocating 16 bytes more is actually enough and so this was changed in
a9493601638b048c44751956d2360f215918800c; this commit also replaced
INT_MAX by INT_MAX - 16 (and made the limit therefore a limit on the size
of the allocated buffer), but kept the comment, although there is nothing
ambiguous about allocating (INT_MAX - 16)..INT_MAX.
c) 13dfce3d44f99a2d7df71aba8ae003d58db726f7 then increased 16 to 32 for
AVX, 6b4c0be5586acad3bbafd7d2dd02a8328a5ab632 replaced INT_MAX by
MAX_MALLOC_SIZE (which was of course defined to be INT_MAX) and
5a8e994287d8ef181c0a5eac537547d7059b4524 added max_alloc_size and made
it user-selectable.
d) 4fb311c804098d78e5ce5f527f9a9c37536d3a08 then dropped the memalign
hack, yet it kept the -32 (probably because the comment about ambiguous
cases was still present?), although it is no longer needed at all after
this commit. Therefore this commit removes it and uses max_alloc_size
directly.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-05-26 06:47:31 +02:00
Carl Eugen Hoyos
b7d9507bb8 lavu/mem: Make other alloc functions more similar to av_malloc().
Do not limit the array allocation functions and av_calloc() to allocations
of INT_MAX, instead depend on max_alloc_size like av_malloc().

Allows a workaround for ticket #7140.
2020-04-12 22:32:03 +02:00
Michael Niedermayer
12b1338be3 avutil/mem: Optimize fill32() by unrolling and using 64bit
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-01-20 21:42:20 +01:00
Carl Eugen Hoyos
695b1d8111 lavu/mem: Allow allocations close to max_alloc_size with av_fast_realloc(). 2018-01-04 05:39:18 +01:00
Carl Eugen Hoyos
21b5990da4 lavu/mem: Do not realloc in av_fast_realloc() if size == min_size.
This can avoid OOM for min_size close to FFmpeg's arbitrary alloc limits.
2018-01-01 22:30:22 +01:00
James Darnley
e2218ed8ce avutil: add alignment needed for AVX-512 2017-12-24 22:02:41 +01:00
James Almer
4959f18a8e Merge commit '04b0f0e371ff81b682274b574fb465ba4395c09f'
* commit '04b0f0e371ff81b682274b574fb465ba4395c09f':
  mem: uninline av_malloc(z)_array()

Merged-by: James Almer <jamrial@gmail.com>
2017-10-30 16:08:14 -03:00
Anton Khirnov
04b0f0e371 mem: uninline av_malloc(z)_array()
Inlining public functions hardcodes their implementation into the ABI,
so it should be avoided unless there is a very good reason for it. No
such reason exists in this case.
2017-04-26 09:05:28 +02:00
Clément Bœsch
3835283293 Merge commit '4fb311c804098d78e5ce5f527f9a9c37536d3a08'
* commit '4fb311c804098d78e5ce5f527f9a9c37536d3a08':
  Drop memalign hack

Merged, as this may indeed be uneeded since
46e3936fb04d06550151e667357065e3f646da1a.

Merged-by: Clément Bœsch <u@pkh.me>
2017-03-20 08:54:44 +01:00
Diego Biurrun
4fb311c804 Drop memalign hack
It no longer serves a useful purpose.
2016-09-03 15:11:29 +02:00
Timothy Gu
04da20e58f dynarray: Change AV_ to FF_ for AV_DYNARRAY_ADD
The header is not installed and the macro isn't used outside libavutil,
so it is obviously privat to libavutil. Make the name reflect that.
2016-07-31 10:19:03 -07:00
Zhao Zhili
65b2feb890 avutil/mem: fix memleak
The original code assumes av_realloc() will free ptr if size is zero.
The assumes is incorrect now.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-07-28 12:09:05 +02:00
Michael Niedermayer
fc91eeab0b avutil/mem: Add av_fast_mallocz()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-11-18 22:05:16 +01:00
Michael Niedermayer
d6ff68ad85 Factor duplicated ff_fast_malloc() out into mem_internal.h
internal.h is difficult to use due to circular dependancies
mem.h is a public header ff_* is not public
Alternative solutions probably are possible too

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-13 02:41:43 +02:00
Michael Niedermayer
b3415e4c5f avutil/mem: Fix potential overflow in overallocation code
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-11 22:47:09 +02:00
Michael Niedermayer
4950bd4ebe libavutil/mem: use size_t for the length in av_strdup()
the string length is not constrained to INT_MAX

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-05-10 16:06:50 +02:00
Michael Niedermayer
63186ac5f1 avutil/mem: replace remaining void **/*** casts by memcpy()
This is similar to 60392480181f24ebf3ab48d8ac3614705de90152

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-02-03 14:28:56 +01:00
Michael Niedermayer
fa73358c9b Merge commit '60392480181f24ebf3ab48d8ac3614705de90152'
* commit '60392480181f24ebf3ab48d8ac3614705de90152':
  mem: fix pointer pointer aliasing violations

Conflicts:
	libavutil/mem.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2015-02-01 13:52:22 +01:00
Rémi Denis-Courmont
6039248018 mem: fix pointer pointer aliasing violations
This uses explicit memory copying to read and write pointer to pointers
of arbitrary object types. This works provided that the architecture
uses the same representation for all pointer types (the previous code
made that assumption already anyway).

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2015-02-01 02:28:40 +01:00
Michael Niedermayer
c8571c61ec Merge commit '8ddc32629a6d6be77256694c9e322dde134609f3'
* commit '8ddc32629a6d6be77256694c9e322dde134609f3':
  mem: add av_strndup() for duplicating substrings

Conflicts:
	libavutil/mem.c
	libavutil/mem.h
	libavutil/version.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-08-14 00:29:06 +02:00
Anton Khirnov
8ddc32629a mem: add av_strndup() for duplicating substrings 2014-08-13 17:24:18 +00:00
Lukasz Marek
cd50a44beb lavu/mem: add av_dynarray_add_nofree function
av_dynarray_add_nofree function have similar functionality
as existing av_dynarray_add, but it doesn't deallocate memory
on fails.

Signed-off-by: Lukasz Marek <lukasz.m.luki@gmail.com>
2014-03-29 09:48:48 +01:00
Michael Niedermayer
9ba1190297 avutil/mem: avoid using intptr_t to access void* in av_dynarray_add()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-22 21:14:57 +01:00
Nicolas George
b0dcf76530 lavu/mem: reimplement the dynarray functions with the macro.
Signed-off-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-22 20:53:36 +01:00
Michael Niedermayer
7c888ae746 Merge commit 'cce3e0a49f0dd030262c28d9c53de0bd2fd909c4'
* commit 'cce3e0a49f0dd030262c28d9c53de0bd2fd909c4':
  Move av_fast_{m,re}alloc from lavc to lavu.

Conflicts:
	libavcodec/avcodec.h
	libavcodec/utils.c
	libavutil/mem.c
	libavutil/version.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-11-14 15:04:04 +01:00
Anton Khirnov
cce3e0a49f Move av_fast_{m,re}alloc from lavc to lavu. 2013-11-14 09:42:22 +01:00
Michael Niedermayer
21b3563dcb Merge remote-tracking branch 'qatar/master'
* qatar/master:
  mem: Make av_strdup allocate using av_realloc

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-10-17 08:13:42 +02:00
Martin Storsjö
d433e1aefa mem: Make av_strdup allocate using av_realloc
This makes sure that pointers from av_strdup are reallocable,
which is used in av_dict_set if the AV_DICT_APPEND flag is set.

Nothing should rely on pointers from av_strdup being aligned.

Signed-off-by: Martin Storsjö <martin@martin.st>
2013-10-16 18:59:01 +03:00
Michael Niedermayer
6c169c2fa4 Merge commit '67e285ceca1cb602a5ab87010b30d904527924fe'
* commit '67e285ceca1cb602a5ab87010b30d904527924fe':
  mem: Handle av_reallocp(..., 0) properly

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-21 09:36:58 +02:00
Martin Storsjö
67e285ceca mem: Handle av_reallocp(..., 0) properly
Previously this did a double free (and returned an error).

Reported-by: Justin Ruggles
Signed-off-by: Martin Storsjö <martin@martin.st>
2013-09-20 21:23:08 +03:00
Michael Niedermayer
c74c3fb142 Merge commit '3feb3d6ce4be0a09a9f8f13d613bed25b523b6e7'
* commit '3feb3d6ce4be0a09a9f8f13d613bed25b523b6e7':
  mem: Introduce av_reallocp

Conflicts:
	doc/APIchanges
	libavutil/mem.c
	libavutil/mem.h
	libavutil/version.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-17 11:06:26 +02:00
Luca Barbato
3feb3d6ce4 mem: Introduce av_reallocp 2013-09-16 19:36:37 +02:00
Michael Niedermayer
5866c107a9 Merge commit 'c3e6e8f06c42499bd020fd0b37f9542150e6067b'
* commit 'c3e6e8f06c42499bd020fd0b37f9542150e6067b':
  mem: Do not check unsigned values for negative size

Conflicts:
	libavutil/mem.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-06 12:21:16 +02:00
Michael Niedermayer
92424a45d0 Merge commit 'b634b36fcebfe16b837b6c4044f5d5cb99a75040'
* commit 'b634b36fcebfe16b837b6c4044f5d5cb99a75040':
  mem: Improve documentation wording and spelling

Conflicts:
	libavutil/mem.c
	libavutil/mem.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-06 12:05:02 +02:00
Diego Biurrun
c3e6e8f06c mem: Do not check unsigned values for negative size 2013-09-05 12:38:43 +02:00
Diego Biurrun
b634b36fce mem: Improve documentation wording and spelling 2013-09-05 12:38:43 +02:00