PR #21523 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21523 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21523.patch
Exporting unknown layouts as unspec type is pointless in a format that expects the user to remix the channels in location specific ways. This simplifies assumptions and reduces the chances of heap buffer overflows. >From 2bc471a3012ad213188fd171f2542175d78a1f45 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Mon, 19 Jan 2026 21:00:39 -0300 Subject: [PATCH] avformat/iamf_parse: stop trying to parse files that report an unknown layout Exporting unknown layouts as unspec type is pointless in a format that expects the user to remix the channels in location specific ways. This simplifies assumptions and reduces the chances of heap buffer overflows. Fixes: heap-buffer-overflow Fixes: clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6363647720095744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer <[email protected]> --- libavformat/iamf_parse.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index a31f7689b3..5ed5e87fb7 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -451,10 +451,13 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb, return AVERROR_INVALIDDATA; ch_layout.u.mask &= ~mask; } - } else - ch_layout = (AVChannelLayout){ .order = AV_CHANNEL_ORDER_UNSPEC, - .nb_channels = substream_count + - coupled_substream_count }; + } else { + if (expanded_loudspeaker_layout >= 0) + avpriv_request_sample(s, "expanded_loudspeaker_layout %d", expanded_loudspeaker_layout); + else + avpriv_request_sample(s, "loudspeaker_layout %d", loudspeaker_layout); + return AVERROR_PATCHWELCOME; + } channels = ch_layout.nb_channels; if (i) { @@ -476,11 +479,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb, return ret; } - if (ch_layout.order == AV_CHANNEL_ORDER_NATIVE) { ret = av_channel_layout_custom_init(&layer->ch_layout, ch_layout.nb_channels); if (ret < 0) return ret; - for (int j = 0; j < n; j++) layer->ch_layout.u.map[j].id = av_channel_layout_channel_from_index(&audio_element->element->layers[i-1]->ch_layout, j); @@ -508,8 +509,6 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb, ret = av_channel_layout_retype(&layer->ch_layout, AV_CHANNEL_ORDER_NATIVE, 0); if (ret < 0 && ret != AVERROR(ENOSYS)) return ret; - } else // AV_CHANNEL_ORDER_UNSPEC - av_channel_layout_copy(&layer->ch_layout, &ch_layout); } if (k != audio_element->nb_substreams) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
