From: James Almer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: James Almer <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat/iamf: sanitize block and subblock durations and count (PR #21676)
Date: Sat, 07 Feb 2026 22:29:36 -0000
Message-ID: <177050337736.25.11726316464052818727@4457048688e7> (raw)
PR #21676 opened by James Almer (jamrial)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676.patch
>From 042bb51d07d42728383f3739f172ca0e313df769 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 7 Feb 2026 19:21:02 -0300
Subject: [PATCH 1/3] avutil/iamf: stop setting parameter definition block
defaults
It was done for the sake of having subblock_duration not be zero as the spec
forbids that value, but harcoding it to any arbitrary value is no better
considering the user is meant to fill the entire structure.
This helps speeding up the function when trying to allocate a struct with a
huge amount of blocks.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavutil/iamf.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/libavutil/iamf.c b/libavutil/iamf.c
index ea0c87428f..76707563cb 100644
--- a/libavutil/iamf.c
+++ b/libavutil/iamf.c
@@ -226,8 +226,6 @@ AVIAMFParamDefinition *av_iamf_param_definition_alloc(enum AVIAMFParamDefinition
default:
av_assert0(0);
}
-
- av_opt_set_defaults(subblock);
}
if (out_size)
--
2.52.0
>From cdf217136d2ac114eed96277d84312c57ad929c2 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 7 Feb 2026 19:26:45 -0300
Subject: [PATCH 2/3] avformat/iamf_parse: sanitize block and subblock
durations and count
Abort earlier if subblock durations are inconsistent with their containing block,
and ensure each subblock duration is at least 1.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavformat/iamf_parse.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 5ed5e87fb7..a4a636c3aa 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -642,6 +642,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb,
}
}
+ if (nb_subblocks > duration) {
+ av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id);
+ return AVERROR_INVALIDDATA;
+ }
+
param = av_iamf_param_definition_alloc(type, nb_subblocks, ¶m_size);
if (!param)
return AVERROR(ENOMEM);
@@ -652,6 +657,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb,
if (constant_subblock_duration == 0) {
subblock_duration = ffio_read_leb(pb);
+ if (duration - total_duration > subblock_duration) {
+ av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id);
+ av_free(param);
+ return AVERROR_INVALIDDATA;
+ }
total_duration += subblock_duration;
} else if (i == nb_subblocks - 1)
subblock_duration = duration - i * constant_subblock_duration;
--
2.52.0
>From bd86940a07af5e5ca38a305b50ff369406b029ed Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 7 Feb 2026 19:26:54 -0300
Subject: [PATCH 3/3] avformat/iamf_reader: sanitize block and subblock
durations and count
Abort earlier if subblock durations are inconsistent with their containing block,
and ensure each subblock duration is at least 1.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavformat/iamf_reader.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c
index f7abdf4207..0c2c3306d9 100644
--- a/libavformat/iamf_reader.c
+++ b/libavformat/iamf_reader.c
@@ -158,6 +158,12 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c,
nb_subblocks = param->nb_subblocks;
}
+ if (nb_subblocks > duration) {
+ av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id);
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
+
out_param = av_iamf_param_definition_alloc(param->type, nb_subblocks, &out_param_size);
if (!out_param) {
ret = AVERROR(ENOMEM);
@@ -177,6 +183,11 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c,
if (!param_definition->mode && !constant_subblock_duration) {
subblock_duration = ffio_read_leb(pb);
+ if (duration - total_duration > subblock_duration) {
+ av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id);
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
total_duration += subblock_duration;
} else if (i == nb_subblocks - 1)
subblock_duration = duration - i * constant_subblock_duration;
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-02-07 22:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177050337736.25.11726316464052818727@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git