PR #21676 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676.patch
>From 042bb51d07d42728383f3739f172ca0e313df769 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Sat, 7 Feb 2026 19:21:02 -0300 Subject: [PATCH 1/3] avutil/iamf: stop setting parameter definition block defaults It was done for the sake of having subblock_duration not be zero as the spec forbids that value, but harcoding it to any arbitrary value is no better considering the user is meant to fill the entire structure. This helps speeding up the function when trying to allocate a struct with a huge amount of blocks. Signed-off-by: James Almer <[email protected]> --- libavutil/iamf.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavutil/iamf.c b/libavutil/iamf.c index ea0c87428f..76707563cb 100644 --- a/libavutil/iamf.c +++ b/libavutil/iamf.c @@ -226,8 +226,6 @@ AVIAMFParamDefinition *av_iamf_param_definition_alloc(enum AVIAMFParamDefinition default: av_assert0(0); } - - av_opt_set_defaults(subblock); } if (out_size) -- 2.52.0 >From cdf217136d2ac114eed96277d84312c57ad929c2 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Sat, 7 Feb 2026 19:26:45 -0300 Subject: [PATCH 2/3] avformat/iamf_parse: sanitize block and subblock durations and count Abort earlier if subblock durations are inconsistent with their containing block, and ensure each subblock duration is at least 1. Signed-off-by: James Almer <[email protected]> --- libavformat/iamf_parse.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 5ed5e87fb7..a4a636c3aa 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -642,6 +642,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, } } + if (nb_subblocks > duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } + param = av_iamf_param_definition_alloc(type, nb_subblocks, ¶m_size); if (!param) return AVERROR(ENOMEM); @@ -652,6 +657,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, if (constant_subblock_duration == 0) { subblock_duration = ffio_read_leb(pb); + if (duration - total_duration > subblock_duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + av_free(param); + return AVERROR_INVALIDDATA; + } total_duration += subblock_duration; } else if (i == nb_subblocks - 1) subblock_duration = duration - i * constant_subblock_duration; -- 2.52.0 >From bd86940a07af5e5ca38a305b50ff369406b029ed Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Sat, 7 Feb 2026 19:26:54 -0300 Subject: [PATCH 3/3] avformat/iamf_reader: sanitize block and subblock durations and count Abort earlier if subblock durations are inconsistent with their containing block, and ensure each subblock duration is at least 1. Signed-off-by: James Almer <[email protected]> --- libavformat/iamf_reader.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index f7abdf4207..0c2c3306d9 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -158,6 +158,12 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, nb_subblocks = param->nb_subblocks; } + if (nb_subblocks > duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id); + ret = AVERROR_INVALIDDATA; + goto fail; + } + out_param = av_iamf_param_definition_alloc(param->type, nb_subblocks, &out_param_size); if (!out_param) { ret = AVERROR(ENOMEM); @@ -177,6 +183,11 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, if (!param_definition->mode && !constant_subblock_duration) { subblock_duration = ffio_read_leb(pb); + if (duration - total_duration > subblock_duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + ret = AVERROR_INVALIDDATA; + goto fail; + } total_duration += subblock_duration; } else if (i == nb_subblocks - 1) subblock_duration = duration - i * constant_subblock_duration; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
