From cfebf3d76c3981a40be5779f6afe19a015788e90 Mon Sep 17 00:00:00 2001
From: CastagnaIT <gottardo.stefano.83@gmail.com>
Date: Sat, 1 Jul 2023 17:24:52 +0200
Subject: [PATCH 1/3] [FragmSampleReader] Removed extra memory reserved

---
 src/samplereader/FragmentedSampleReader.cpp | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/samplereader/FragmentedSampleReader.cpp b/src/samplereader/FragmentedSampleReader.cpp
index c1c47491a..d19f8ffa8 100644
--- a/src/samplereader/FragmentedSampleReader.cpp
+++ b/src/samplereader/FragmentedSampleReader.cpp
@@ -149,10 +149,7 @@ AP4_Result CFragmentedSampleReader::ReadSample()
 
     if (m_decrypter)
     {
-      // Make sure that the decrypter is NOT allocating memory!
-      // If decrypter and addon are compiled with different DEBUG / RELEASE
-      // options freeing HEAP memory will fail.
-      m_sampleData.Reserve(m_encrypted.GetDataSize() + 4096);
+      m_sampleData.Reserve(m_encrypted.GetDataSize());
       if (AP4_FAILED(result =
                          m_decrypter->DecryptSampleData(m_poolId, m_encrypted, m_sampleData, NULL)))
       {
@@ -174,7 +171,7 @@ AP4_Result CFragmentedSampleReader::ReadSample()
     }
     else if (useDecryptingDecoder)
     {
-      m_sampleData.Reserve(m_encrypted.GetDataSize() + 1024);
+      m_sampleData.Reserve(m_encrypted.GetDataSize());
       m_singleSampleDecryptor->DecryptSampleData(m_poolId, m_encrypted, m_sampleData, nullptr, 0,
                                                  nullptr, nullptr);
     }

From e94527ae9280df1b1437311af05f42b6f07ee8d9 Mon Sep 17 00:00:00 2001
From: CastagnaIT <gottardo.stefano.83@gmail.com>
Date: Mon, 31 Jul 2023 17:45:26 +0200
Subject: [PATCH 2/3] [wvdecrypter] Fix memory heap corruption

---
 wvdecrypter/wvdecrypter.cpp | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/wvdecrypter/wvdecrypter.cpp b/wvdecrypter/wvdecrypter.cpp
index 65d015a70..ea3120b45 100644
--- a/wvdecrypter/wvdecrypter.cpp
+++ b/wvdecrypter/wvdecrypter.cpp
@@ -1162,11 +1162,8 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
 
     if (fragInfo.nal_length_size_ && (!iv || bytes_of_cleartext_data[0] > 0))
     {
-      //Note that we assume that there is enough data in data_out to hold everything without reallocating.
-
       //check NAL / subsample
       const AP4_Byte *packet_in(data_in.GetData()), *packet_in_e(data_in.GetData() + data_in.GetDataSize());
-      AP4_Byte *packet_out(data_out.UseData() + data_out.GetDataSize());
       AP4_UI16 *clrb_out(iv ? reinterpret_cast<AP4_UI16*>(data_out.UseData() + sizeof(subsample_count)):nullptr);
       unsigned int nalunitcount(0), nalunitsum(0), configSize(0);
 
@@ -1178,19 +1175,18 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
         //look if we have to inject sps / pps
         if (fragInfo.annexb_sps_pps_.GetDataSize() && (*packet_in & 0x1F) != 9 /*AVC_NAL_AUD*/)
         {
-          memcpy(packet_out, fragInfo.annexb_sps_pps_.GetData(), fragInfo.annexb_sps_pps_.GetDataSize());
-          packet_out += fragInfo.annexb_sps_pps_.GetDataSize();
+          data_out.AppendData(fragInfo.annexb_sps_pps_.GetData(),
+                              fragInfo.annexb_sps_pps_.GetDataSize());
           if(clrb_out) *clrb_out += fragInfo.annexb_sps_pps_.GetDataSize();
           configSize = fragInfo.annexb_sps_pps_.GetDataSize();
           fragInfo.annexb_sps_pps_.SetDataSize(0);
         }
 
-        //Anex-B Start pos
-        packet_out[0] = packet_out[1] = packet_out[2] = 0; packet_out[3] = 1;
-        packet_out += 4;
-        memcpy(packet_out, packet_in, nalsize);
+        // Annex-B Start pos
+        static AP4_Byte annexbStartCode[4] = {0x00, 0x00, 0x00, 0x01};
+        data_out.AppendData(annexbStartCode, 4);
+        data_out.AppendData(packet_in, nalsize);
         packet_in += nalsize;
-        packet_out += nalsize;
         if (clrb_out) *clrb_out += (4 - fragInfo.nal_length_size_);
         ++nalunitcount;
 
@@ -1230,7 +1226,6 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
                  static_cast<unsigned int>(packet_in_e - packet_in), subsample_count);
         return AP4_ERROR_NOT_SUPPORTED;
       }
-      data_out.SetDataSize(data_out.GetDataSize() + data_in.GetDataSize() + configSize + (4 - fragInfo.nal_length_size_) * nalunitcount);
     }
     else
       data_out.AppendData(data_in.GetData(), data_in.GetDataSize());

From 234b079c84ddc1f73fc170ff21440a3187cf6eee Mon Sep 17 00:00:00 2001
From: CastagnaIT <gottardo.stefano.83@gmail.com>
Date: Tue, 1 Aug 2023 09:13:21 +0200
Subject: [PATCH 3/3] [wvdecrypter_android] Fix memory heap corruption

---
 wvdecrypter/wvdecrypter_android.cpp | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/wvdecrypter/wvdecrypter_android.cpp b/wvdecrypter/wvdecrypter_android.cpp
index fbb47dc76..b570670be 100644
--- a/wvdecrypter/wvdecrypter_android.cpp
+++ b/wvdecrypter/wvdecrypter_android.cpp
@@ -1121,11 +1121,8 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
 
     if (fragInfo.nal_length_size_ && (!iv || bytes_of_cleartext_data[0] > 0))
     {
-      //Note that we assume that there is enough data in data_out to hold everything without reallocating.
-
       //check NAL / subsample
       const AP4_Byte *packet_in(data_in.GetData()), *packet_in_e(data_in.GetData() + data_in.GetDataSize());
-      AP4_Byte *packet_out(data_out.UseData() + data_out.GetDataSize());
       AP4_UI16 *clrb_out(iv ? reinterpret_cast<AP4_UI16*>(data_out.UseData() + sizeof(subsample_count)) : nullptr);
       unsigned int nalunitcount(0), nalunitsum(0), configSize(0);
 
@@ -1137,19 +1134,18 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
         //look if we have to inject sps / pps
         if (fragInfo.annexb_sps_pps_.GetDataSize() && (*packet_in & 0x1F) != 9 /*AVC_NAL_AUD*/)
         {
-          memcpy(packet_out, fragInfo.annexb_sps_pps_.GetData(), fragInfo.annexb_sps_pps_.GetDataSize());
-          packet_out += fragInfo.annexb_sps_pps_.GetDataSize();
+          data_out.AppendData(fragInfo.annexb_sps_pps_.GetData(),
+                              fragInfo.annexb_sps_pps_.GetDataSize());
           if (clrb_out) *clrb_out += fragInfo.annexb_sps_pps_.GetDataSize();
           configSize = fragInfo.annexb_sps_pps_.GetDataSize();
           fragInfo.annexb_sps_pps_.SetDataSize(0);
         }
 
-        //Anex-B Start pos
-        packet_out[0] = packet_out[1] = packet_out[2] = 0; packet_out[3] = 1;
-        packet_out += 4;
-        memcpy(packet_out, packet_in, nalsize);
+        // Annex-B Start pos
+        static AP4_Byte annexbStartCode[4] = {0x00, 0x00, 0x00, 0x01};
+        data_out.AppendData(annexbStartCode, 4);
+        data_out.AppendData(packet_in, nalsize);
         packet_in += nalsize;
-        packet_out += nalsize;
         if (clrb_out) *clrb_out += (4 - fragInfo.nal_length_size_);
         ++nalunitcount;
 
@@ -1188,7 +1184,6 @@ AP4_Result WV_CencSingleSampleDecrypter::DecryptSampleData(AP4_UI32 pool_id,
                   fragInfo.nal_length_size_, (int)(packet_in_e - packet_in), subsample_count);
         return AP4_ERROR_NOT_SUPPORTED;
       }
-      data_out.SetDataSize(data_out.GetDataSize() + data_in.GetDataSize() + configSize + (4 - fragInfo.nal_length_size_) * nalunitcount);
     }
     else
     {