From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 246F14BF13
	for <ffmpegdev@gitmailbox.com>; Sat,  6 Dec 2025 01:57:26 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'88GBKMwHGUJXm0ESov6NneMK10i4vAdZPM6x4oX2Nvw=', expected 
   b'WfcFwb0z6g8HqdSmdB0NdjYTpheJrDpxqaLRSFcwniQ=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1764986234; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=88GBKMwHGUJXm0ESov6NneMK10i4vAdZPM6x4oX2Nvw=;
 b=VnLLExl+SUnlNLG32WeSSfWPle9RKpal7k86ndVmkchfXKNMDJ52WItnmTqbUXYmt0yoq
 4msr+I+xZ+G8NZerFbPlKNmtIqbtG78xj3b1SEggQohpfnHIm38yjLBBxNtcBaz2xRT3cI2
 qwn2OKMqt4OSedxoNooFC9lN9yO/STQsgE5I7ly4aG+YzEe/OZTu6UllOseVI6J2SkWRibG
 7kmSJoKpxOJQ2upbnPkAQI9CWFwg041mDF5EGLVlITjJ7DP8JYpvIWw4ZGUK7U0gk9U9DIO
 KIwurSP4LIq/KN72PSMCtETPOKtRPDknZFl6ISqf9vlPN2/st5mjf+0SNBCw==
Received: from [172.19.0.3] (unknown [172.19.0.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id D03746905E8;
	Sat,  6 Dec 2025 03:57:14 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1764986210;
 b=BY9k3Z9GZ8/3nfLA6j66NAX4e3/1r6VpMac6ON/u0EBg+cIKnv/qjBFwfvYfOe7G3XjE/
 XCOILxYytBqQPXQmtgB3K4P9BVgXQKsZ2xo+r+m5mr4m+X0319zYrktLPzDYMF+5Y22b9Kh
 lH8Wt7wnjNGXq4cVuHmSztrYZT5FuMFL/bWnY9+jVcolQtVDKikg9Y3O8QgUxLnGEDAzLiJ
 wv1Bb6bCaXJhd9p1UtpsBQIG4xDR8bOVTqaDPCuMvqs1TdbTAjNKUet7DENguOrHhYruUZi
 lqhAN6/Cqp0TMabRjO9on6PCvUvr6rTtUfPETq2UZsVSkyYVDF2GH5HnvyxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1764986210; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=12QgPbtdwkQN7Np6K9OWtT3BsU7MEkuOniHB5HT1Ang=;
 b=TAVFZpF/Fpyfhdu/l410g7GMZIwgTB1f3AsGsp1T57b9tobFjhX/UaZked031qTkfg+Nk
 p4mnoQdKhpEsiL1aDp5uVea/1aIAHEqOqYK7ts3GjmGyK4K0LnIXtKwV6Eer10sYjUScAdt
 rFLdn44yiztKmQpNMMA9ip60ucLOeNq//FebgXT5iElWF3iSbrmQaqo7c0Mnt3cOBQGtPvk
 TCAJmjNsiVBO6ZTEAI/0wnNXVC68fLR13E586eUoyZWKFSFAu4HNEInTJnNWqv47eVFIaWQ
 uJTonlexp55iZi+Zrr4Gk10MHywB3Fe/8BHdBtn4nBsEk7/gok7AP1iT/Sfg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1764986201; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=WfcFwb0z6g8HqdSmdB0NdjYTpheJrDpxqaLRSFcwniQ=;
 b=lx0Z+FdvNIkvYsW9oQVFtGByUgQJq6j0Y1jAiGrm35OebnCbPahqAN7wZFvdM4N1ACjND
 VnMASB6Wrdhmj7WErJ05csoljDznqCTHlcHmNjhu/CI9/Cms1LebJcCY99ETdoD+8OogQfG
 7yFZjwhejL45dNkkUFFPBpdMli9StRw8bOQxj6A0hqyX5mdTpASR3EnvkvcDcxYpY6Re4GZ
 wO2QFhOCHJ/wQpRADNjXJbUs93+Mbw+YPObuolL/oM361ro/D2xxiVopJtou+41aCW6qGHz
 Vd5xWCoqmndnjbJwJBKMvTkfvXsxd9tX9loydivyVwKEmTSeg06u7A8sJnyA==
Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id D312A690564
	for <ffmpeg-devel@ffmpeg.org>; Sat,  6 Dec 2025 03:56:41 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 06 Dec 2025 01:56:41 -0000
Message-ID: <176498620206.39.7377392820510894229@2cb04c0e5124>
Message-ID-Hash: YDJFA5DRMI5PZRH4KAX3JXQFZEUVSTN2
X-Message-ID-Hash: YDJFA5DRMI5PZRH4KAX3JXQFZEUVSTN2
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] iamf (PR #21115)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/YDJFA5DRMI5PZRH4KAX3JXQFZEUVSTN2/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176498620206.39.7377392820510894229@2cb04c0e5124/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: James Almer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: James Almer <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176498620206.39.7377392820510894229@2cb04c0e5124/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21115 opened by James Almer (jamrial)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21115
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21115.patch

An ASAN heap-buffer-overflow in scalable_channel_layout_config was caused by an unchecked assumption that the channel layout of a scalable audio layer is a superset of the previous layer's channel layout.
`scalable_channel_layout_config` constructs a channel layout map by copying channels from the previous layer and adding new ones. The memory allocation is based on the target loudspeaker_layout. However, if the target layout doesn't encompass all previous channels (e.g., Mono to Stereo), copying previous channels followed by adding current ones could exceed the allocated size, causing a heap buffer overflow.

This PR adds an exception for the know case of Mono -> Stereo, and a check to ensure the previous layer's channel layout is a subset of the current layer's layout by comparing their masks. If the condition isn't met, an error is returned.

This supersedes #21107


>>From ea3d8ad34d47dbf18ed0c4af47162263e1eb1db1 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 5 Dec 2025 22:40:40 -0300
Subject: [PATCH 1/2] avformat/iamf_parse: fix parsing of Scalable layouts with
 Mono and Stereo layers

And ASAN heap-buffer-overflow in scalable_channel_layout_config was caused by
an unchecked assumption that the channel layout of a scalable audio layer is a
superset of the previous layer's channel layout.

scalable_channel_layout_config constructs a channel layout map by copying
channels from the previous layer and adding new ones. The memory allocation is
based on the target loudspeaker_layout. However, if the target layout doesn't
encompass all previous channels (e.g., Mono to Stereo), copying previous
channels followed by adding current ones could exceed the allocated size,
causing a heap buffer overflow.

This commit adds an exception for the know case of Mono -> Stereo, and a check
to ensure the previous layer's channel layout is a subset of the current
layer's layout by comparing their masks. If the condition isn't met,
an error is returned.

Co-authored-by: Oliver Chang <ochang@google.com>
Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/iamf_parse.c | 79 ++++++++++++++++++++++++----------------
 1 file changed, 47 insertions(+), 32 deletions(-)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 597d800be0..3d78533faf 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -347,6 +347,41 @@ static int update_extradata(AVCodecParameters *codecpar)
     return 0;
 }
 
+static int parse_coupled_substream(AVChannelLayout *out, AVChannelLayout *in, int n)
+{
+    if (in->u.mask & AV_CH_LAYOUT_STEREO) {
+        out->u.map[n++].id = AV_CHAN_FRONT_LEFT;
+        out->u.map[n++].id = AV_CHAN_FRONT_RIGHT;
+        in->u.mask &= ~AV_CH_LAYOUT_STEREO;
+    } else if (in->u.mask & (AV_CH_FRONT_LEFT_OF_CENTER|AV_CH_FRONT_RIGHT_OF_CENTER)) {
+        out->u.map[n++].id = AV_CHAN_FRONT_LEFT_OF_CENTER;
+        out->u.map[n++].id = AV_CHAN_FRONT_RIGHT_OF_CENTER;
+        in->u.mask &= ~(AV_CH_FRONT_LEFT_OF_CENTER|AV_CH_FRONT_RIGHT_OF_CENTER);
+    } else if (in->u.mask & (AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT)) {
+        out->u.map[n++].id = AV_CHAN_SIDE_LEFT;
+        out->u.map[n++].id = AV_CHAN_SIDE_RIGHT;
+        in->u.mask &= ~(AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT);
+    } else if (in->u.mask & (AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT)) {
+        out->u.map[n++].id = AV_CHAN_BACK_LEFT;
+        out->u.map[n++].id = AV_CHAN_BACK_RIGHT;
+        in->u.mask &= ~(AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT);
+    } else if (in->u.mask & (AV_CH_TOP_FRONT_LEFT|AV_CH_TOP_FRONT_RIGHT)) {
+        out->u.map[n++].id = AV_CHAN_TOP_FRONT_LEFT;
+        out->u.map[n++].id = AV_CHAN_TOP_FRONT_RIGHT;
+        in->u.mask &= ~(AV_CH_TOP_FRONT_LEFT|AV_CH_TOP_FRONT_RIGHT);
+    } else if (in->u.mask & (AV_CH_TOP_SIDE_LEFT|AV_CH_TOP_SIDE_RIGHT)) {
+        out->u.map[n++].id = AV_CHAN_TOP_SIDE_LEFT;
+        out->u.map[n++].id = AV_CHAN_TOP_SIDE_RIGHT;
+        in->u.mask &= ~(AV_CH_TOP_SIDE_LEFT|AV_CH_TOP_SIDE_RIGHT);
+    } else if (in->u.mask & (AV_CH_TOP_BACK_LEFT|AV_CH_TOP_BACK_RIGHT)) {
+        out->u.map[n++].id = AV_CHAN_TOP_BACK_LEFT;
+        out->u.map[n++].id = AV_CHAN_TOP_BACK_RIGHT;
+        in->u.mask &= ~(AV_CH_TOP_BACK_LEFT|AV_CH_TOP_BACK_RIGHT);
+    }
+
+    return n;
+}
+
 static int scalable_channel_layout_config(void *s, AVIOContext *pb,
                                           IAMFAudioElement *audio_element,
                                           const IAMFCodecConfig *codec_config)
@@ -395,12 +430,19 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
 
         if (!i && loudspeaker_layout == 15)
             expanded_loudspeaker_layout = avio_r8(pb);
-        if (expanded_loudspeaker_layout > 0 && expanded_loudspeaker_layout < 13) {
+        if (expanded_loudspeaker_layout >= 0 && expanded_loudspeaker_layout < 13) {
             av_channel_layout_copy(&ch_layout, &ff_iamf_expanded_scalable_ch_layouts[expanded_loudspeaker_layout]);
         } else if (loudspeaker_layout < 10) {
             av_channel_layout_copy(&ch_layout, &ff_iamf_scalable_ch_layouts[loudspeaker_layout]);
-            if (i)
-                ch_layout.u.mask &= ~av_channel_layout_subset(&audio_element->element->layers[i-1]->ch_layout, UINT64_MAX);
+            if (i) {
+                uint64_t mask = av_channel_layout_subset(&audio_element->element->layers[i-1]->ch_layout, UINT64_MAX);
+                // When the first layer is Mono, the second layer may not have the C channel (e.g. Stereo)
+                if (audio_element->element->layers[i-1]->ch_layout.nb_channels == 1)
+                    n--;
+                else if ((ch_layout.u.mask & mask) != mask)
+                    return AVERROR_INVALIDDATA;
+                ch_layout.u.mask &= ~mask;
+            }
         } else
             ch_layout = (AVChannelLayout){ .order = AV_CHANNEL_ORDER_UNSPEC,
                                                           .nb_channels = substream_count +
@@ -430,38 +472,11 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
 
             coupled_substream_count = audio_element->layers[i].coupled_substream_count;
             while (coupled_substream_count--) {
-                if (ch_layout.u.mask & AV_CH_LAYOUT_STEREO) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_FRONT_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_FRONT_RIGHT;
-                    ch_layout.u.mask &= ~AV_CH_LAYOUT_STEREO;
-                } else if (ch_layout.u.mask & (AV_CH_FRONT_LEFT_OF_CENTER|AV_CH_FRONT_RIGHT_OF_CENTER)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_FRONT_LEFT_OF_CENTER;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_FRONT_RIGHT_OF_CENTER;
-                    ch_layout.u.mask &= ~(AV_CH_FRONT_LEFT_OF_CENTER|AV_CH_FRONT_RIGHT_OF_CENTER);
-                } else if (ch_layout.u.mask & (AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_SIDE_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_SIDE_RIGHT;
-                    ch_layout.u.mask &= ~(AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT);
-                } else if (ch_layout.u.mask & (AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_BACK_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_BACK_RIGHT;
-                    ch_layout.u.mask &= ~(AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT);
-                } else if (ch_layout.u.mask & (AV_CH_TOP_FRONT_LEFT|AV_CH_TOP_FRONT_RIGHT)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_FRONT_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_FRONT_RIGHT;
-                    ch_layout.u.mask &= ~(AV_CH_TOP_FRONT_LEFT|AV_CH_TOP_FRONT_RIGHT);
-                } else if (ch_layout.u.mask & (AV_CH_TOP_SIDE_LEFT|AV_CH_TOP_SIDE_RIGHT)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_SIDE_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_SIDE_RIGHT;
-                    ch_layout.u.mask &= ~(AV_CH_TOP_SIDE_LEFT|AV_CH_TOP_SIDE_RIGHT);
-                } else if (ch_layout.u.mask & (AV_CH_TOP_BACK_LEFT|AV_CH_TOP_BACK_RIGHT)) {
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_BACK_LEFT;
-                    layer->ch_layout.u.map[n++].id = AV_CHAN_TOP_BACK_RIGHT;
-                    ch_layout.u.mask &= ~(AV_CH_TOP_BACK_LEFT|AV_CH_TOP_BACK_RIGHT);
-                }
+                n = parse_coupled_substream(&layer->ch_layout, &ch_layout, n);
             }
 
             substream_count -= audio_element->layers[i].coupled_substream_count;
+            n = parse_coupled_substream(&layer->ch_layout, &ch_layout, n); // In case the first layer is Mono
             while (substream_count--) {
                 if (ch_layout.u.mask & AV_CH_FRONT_CENTER) {
                     layer->ch_layout.u.map[n++].id = AV_CHAN_FRONT_CENTER;
-- 
2.49.1


>>From b319de8b62e475ca493ddf302ea995ec5e7535ad Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 5 Dec 2025 22:53:22 -0300
Subject: [PATCH 2/2] avformat/iamf_parse: add a few extra sanity checks

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/iamf_parse.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 3d78533faf..756d9f0f09 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -418,7 +418,8 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
         substream_count = avio_r8(pb);
         coupled_substream_count = avio_r8(pb);
 
-        if (substream_count + k > audio_element->nb_substreams)
+        if (!substream_count || coupled_substream_count > substream_count ||
+            substream_count + k > audio_element->nb_substreams)
             return AVERROR_INVALIDDATA;
 
         audio_element->layers[i].substream_count         = substream_count;
@@ -488,6 +489,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
                 }
             }
 
+            if (n != ch_layout.nb_channels)
+                return AVERROR_INVALIDDATA;
+
             ret = av_channel_layout_retype(&layer->ch_layout, AV_CHANNEL_ORDER_NATIVE, 0);
             if (ret < 0 && ret != AVERROR(ENOSYS))
                 return ret;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org