This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch master in repository ffmpeg.
commit 34ac6f6b07a01f40fb18d78040e5ef9872830205 Author: James Almer <[email protected]> AuthorDate: Sat Feb 7 19:26:45 2026 -0300 Commit: James Almer <[email protected]> CommitDate: Sun Feb 8 21:58:06 2026 -0300 avformat/iamf_parse: sanitize block and subblock durations and count Abort earlier if subblock durations are inconsistent with their containing block, and ensure each subblock duration is at least 1. Signed-off-by: James Almer <[email protected]> --- libavformat/iamf_parse.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 5ed5e87fb7..2a2993b865 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -633,15 +633,31 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, duration = ffio_read_leb(pb); if (!duration) return AVERROR_INVALIDDATA; + if (audio_element) { + const IAMFCodecConfig *codec_config = ff_iamf_get_codec_config(c, audio_element->codec_config_id); + if (duration > av_rescale(codec_config->nb_samples, codec_config->sample_rate, parameter_rate)) { + av_log(s, AV_LOG_ERROR, "Invalid block duration in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } + } constant_subblock_duration = ffio_read_leb(pb); if (constant_subblock_duration == 0) nb_subblocks = ffio_read_leb(pb); else { + if (constant_subblock_duration > duration) { + av_log(s, AV_LOG_ERROR, "Invalid block duration in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } nb_subblocks = duration / constant_subblock_duration; total_duration = duration; } } + if (nb_subblocks > duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } + param = av_iamf_param_definition_alloc(type, nb_subblocks, ¶m_size); if (!param) return AVERROR(ENOMEM); @@ -652,6 +668,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, if (constant_subblock_duration == 0) { subblock_duration = ffio_read_leb(pb); + if (duration - total_duration > subblock_duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + av_free(param); + return AVERROR_INVALIDDATA; + } total_duration += subblock_duration; } else if (i == nb_subblocks - 1) subblock_duration = duration - i * constant_subblock_duration; @@ -1061,7 +1082,7 @@ static int mix_presentation_obu(void *s, IAMFContext *c, AVIOContext *pb, int le avio_skip(pbc, rendering_config_extension_size); ret = param_parse(s, c, pbc, AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN, - NULL, + audio_element, &submix_element->element_mix_config); if (ret < 0) goto fail; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
