From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 4EAF84C259 for ; Sat, 7 Feb 2026 22:30:24 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'Lhof1EzxyTjdVte9owD5A80DFQ/6j5y1zyFQsmLEX9M=', expected b'CRDnLYINXTGm82pVfH+IOMbGGIdVWTlRwWBFsth3Bsk=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770503403; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=Lhof1EzxyTjdVte9owD5A80DFQ/6j5y1zyFQsmLEX9M=; b=v8trsYBY0f2yotvU6tG/1Jy4GxqRwroJckCtT84gAxddQ9SDvvx2JtiJd6o5Pb84iF0f0 WHNbexMDsOztLkzTL43bhh4Emu1dUrAIBsluLbDBwUlj+ykI7YWFv1kw5g/sIyFQrv9AMW2 L0ce8rDGZjUKiU0yR/Q/JluVtTf5gijXRIihViS+pEClfRAnRcRZ+fM77jEdhmyxy2d+BYI xt1cY+pmpR5738pB0OgWYL/PRp3wpr/r0l8DvwQeKdJFW2CqFtDw7b52oBb2JLHohha8sqV Ql6b9oxSMxDh6bexBM4Gz74fAUBLRCZUMGYHzP7CW71X4rzJE/sPKhG8es4g== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 77EBA69110E; Sun, 8 Feb 2026 00:30:03 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770503384; b=q83E89HP2aqKjfJX+w87cYVN6PGPGYXCPX1HAMB0/zeIg5GG+3WXrEMZca8lRd4637oAH dyk8DD9M5StLTSg5N/mR0Ndm8ce17CbPchu51A4+q6YkT37p7sfgn9qWn1s/SHDx6xdCWUY cUIsluR+FvEXc+vrEZmCJPV9n6ViweDIg+OTKMyzC/SpvfEtQVvbw3mdrV64z76it7FsEoA 7RQYcjIJmJfLsNawbjBM2fYeg7X9Mbe1QI1wt88Z6SrAA+VdU1hm6Xwcg76w38qiNY8DXuM ZLT2RWdwb5IePj1QSoHCbVfuaquC2LNT2Qr7cb//HFYKDHnYAKxkH5mTJmYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1770503384; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=4OoL429gqjD5+oqA5W77Psb3BeGN12m3E+UgiulP/oc=; b=QWRg7aMV5FK1Xbkr1B7E23YbG2DhuoRTdmlucvf+0x5efAB5tUi6LqcP4PUG4ZuJElNvD FCkUVCTLWmbOMd6PdjzuoMQgcFYJASnjuq7K5cL0W81yLpQmx4LIR8zjVsQFAbrGeG69PbW w7RLuJWW4K2YTdn8D1hADv8weckb2G//snn6aBaaYTljMY5ZX7xjQu1ZZFMLtf5hcd8ckhV ZAFOz9fEUuWyU3WYvbKZKVOmHnwc7FJ7fIMatTuq1QCqdIwNPQI5WnyaSz1fECcF1ib4KjA Oqn2Qw7WPGvsdZJAL5y+iEatjxnULH51cPTY1DcL1cBfPxxfZzXkZ3wn3mCA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770503377; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=CRDnLYINXTGm82pVfH+IOMbGGIdVWTlRwWBFsth3Bsk=; b=mjOkzCf2LoiVp4UIX0LmGxIU2y8iLeIoUxBNsN2k1hhDxiQl6yVK7YwNW0AE+2P4nLu0h OXf/CDgsJwkQmFJOAHKCqCA+QPtQUCANdW+EToNZlr7xvAfysVkuHx83Zlwj6F9AK3lchYH P55tGokX+XL+DIfqfuDEozhChvlHMyNiAn81q9j23tHkphm2eLkpEWg/JCiQ2IIcbnNeJSH bZry4PaOJSyGApa0ooQpiin7mYVvzsHPNVdnEfRhrjdiWZsLESFn0nwvp7fb9s31+LZZBxN wtOCsz51wuQTWfXhf/PSody1OPbfRXopnDy1KggkHJXNaayEaY8sdRa4P6AQ== Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 3229569055D for ; Sun, 8 Feb 2026 00:29:37 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sat, 07 Feb 2026 22:29:36 -0000 Message-ID: <177050337736.25.11726316464052818727@4457048688e7> Message-ID-Hash: UTY4FATPZDJAPUCRN2LTZJ6NSGCIHXER X-Message-ID-Hash: UTY4FATPZDJAPUCRN2LTZJ6NSGCIHXER X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avformat/iamf: sanitize block and subblock durations and count (PR #21676) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: James Almer via ffmpeg-devel Cc: James Almer Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21676 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21676.patch >>From 042bb51d07d42728383f3739f172ca0e313df769 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 7 Feb 2026 19:21:02 -0300 Subject: [PATCH 1/3] avutil/iamf: stop setting parameter definition block defaults It was done for the sake of having subblock_duration not be zero as the spec forbids that value, but harcoding it to any arbitrary value is no better considering the user is meant to fill the entire structure. This helps speeding up the function when trying to allocate a struct with a huge amount of blocks. Signed-off-by: James Almer --- libavutil/iamf.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavutil/iamf.c b/libavutil/iamf.c index ea0c87428f..76707563cb 100644 --- a/libavutil/iamf.c +++ b/libavutil/iamf.c @@ -226,8 +226,6 @@ AVIAMFParamDefinition *av_iamf_param_definition_alloc(enum AVIAMFParamDefinition default: av_assert0(0); } - - av_opt_set_defaults(subblock); } if (out_size) -- 2.52.0 >>From cdf217136d2ac114eed96277d84312c57ad929c2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 7 Feb 2026 19:26:45 -0300 Subject: [PATCH 2/3] avformat/iamf_parse: sanitize block and subblock durations and count Abort earlier if subblock durations are inconsistent with their containing block, and ensure each subblock duration is at least 1. Signed-off-by: James Almer --- libavformat/iamf_parse.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 5ed5e87fb7..a4a636c3aa 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -642,6 +642,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, } } + if (nb_subblocks > duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id); + return AVERROR_INVALIDDATA; + } + param = av_iamf_param_definition_alloc(type, nb_subblocks, ¶m_size); if (!param) return AVERROR(ENOMEM); @@ -652,6 +657,11 @@ static int param_parse(void *s, IAMFContext *c, AVIOContext *pb, if (constant_subblock_duration == 0) { subblock_duration = ffio_read_leb(pb); + if (duration - total_duration > subblock_duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + av_free(param); + return AVERROR_INVALIDDATA; + } total_duration += subblock_duration; } else if (i == nb_subblocks - 1) subblock_duration = duration - i * constant_subblock_duration; -- 2.52.0 >>From bd86940a07af5e5ca38a305b50ff369406b029ed Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 7 Feb 2026 19:26:54 -0300 Subject: [PATCH 3/3] avformat/iamf_reader: sanitize block and subblock durations and count Abort earlier if subblock durations are inconsistent with their containing block, and ensure each subblock duration is at least 1. Signed-off-by: James Almer --- libavformat/iamf_reader.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index f7abdf4207..0c2c3306d9 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -158,6 +158,12 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, nb_subblocks = param->nb_subblocks; } + if (nb_subblocks > duration) { + av_log(s, AV_LOG_ERROR, "Invalid duration or subblock count in parameter_id %u\n", parameter_id); + ret = AVERROR_INVALIDDATA; + goto fail; + } + out_param = av_iamf_param_definition_alloc(param->type, nb_subblocks, &out_param_size); if (!out_param) { ret = AVERROR(ENOMEM); @@ -177,6 +183,11 @@ static int parameter_block_obu(AVFormatContext *s, IAMFDemuxContext *c, if (!param_definition->mode && !constant_subblock_duration) { subblock_duration = ffio_read_leb(pb); + if (duration - total_duration > subblock_duration) { + av_log(s, AV_LOG_ERROR, "Invalid subblock durations in parameter_id %u\n", parameter_id); + ret = AVERROR_INVALIDDATA; + goto fail; + } total_duration += subblock_duration; } else if (i == nb_subblocks - 1) subblock_duration = duration - i * constant_subblock_duration; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org