From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 779414E949 for ; Tue, 13 May 2025 23:45:24 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 389CC68B4B4; Wed, 14 May 2025 02:45:21 +0300 (EEST) Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1BB06687D1E for ; Wed, 14 May 2025 02:45:14 +0300 (EEST) Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-87bcc86759aso240568241.2 for ; Tue, 13 May 2025 16:45:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747179912; x=1747784712; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5k+VtaPXMjxPWkeWwp/wPE7owBCCoKwPyGDRiMWYUtg=; b=fBRnDrLFOezkEkVdIsvKGeqrePl2jMOI0DaHOG4xR42CDi2XDZBMDTXwCtycA62CC4 WtdpoRqIv53xQRFb9oe/eYDNU7Za8Lk7Ur1WCn3H2LdrKbsnmdUV28Mz7P4T/Krs453D qLhUXfSspChHUp6t2+51yP0UsGq1CZJgiz/LNGe02iumgZMFpWTVB+SQo/RUmE0uPaOH toP6lVpuXNcT1nkncJUuSdDUksc2hfqB7yq4icbnPEkiou5cEMExeKQLFI7eufzTAO7O rtxY/q4K+cFVZBsteO7Ahuqf1ThUFK5AdUjS3WhtLfyifABfsKu9KGRm75ZUtmzT54gm +ebg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747179912; x=1747784712; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5k+VtaPXMjxPWkeWwp/wPE7owBCCoKwPyGDRiMWYUtg=; b=lFUUr+FdV27kluD6rx05c3fcn8wPBmZmNbTJNGA2k3akIEQsNwWyHFgpX6IbeUAGOM CO9haLPORBdlEDksgWFEOAbQ/7hPVSt5QJ1UlINTU923rg1wJl21PzkETA2jD7En9cpI FIRL0jcZssHiXNDMvATrI1HVhl+6S+E5O2LphFG2CE7fHu1n7q13LWRnRi1im85qUW/s Jd2YzGcRrewxic4W6P92whdznMMZ+HLAk5/Q6fj9VJ8n+Qd+lnfPTG0ayu+xSevbV4he YGwy2LWqtZl32B5xkVX3eRvIdFUewQ+kbHNwcESNMq0wCZzVuB7W+27qwFdX6/njfCmP PUrw== X-Gm-Message-State: AOJu0Yz50AD0rTImzzDRoIToHC65U0l7jM1qVc9iEoM2APcjsnCWo1TU lWpikVwG1N9Fow8PRQUWBpkjLPwSFHyyWEhfl+w4A00twoibozD7y8t+tA== X-Gm-Gg: ASbGncuxYPulMuV74VprIqx5LLjRfO8rubHBRHfJz89zYJR9OZLe9LkpaJJ4ZXx9ucA Eulng+RJipB+q1YX3RT6Qg0H1Y7AAYxjWwqYqZA/6jRtMErV+spP/bKId4NbC/Gj8QphkHdOVWt k5xf8JR/1Psu2oGmF7Ie2/VSFPuzYkXKC1s3HK4kPxTFNvT9LBP9Pwvx/4VQbtgJoudVZasyZYk u403qc012xDsju6kxQNM6F2CP0OxUpA/B96l0lX1EsDeKSC7n4yWCVtjpWh/8qs/1HURXUe6wr0 owr7ssmrJbRi9JVusWjnGuqiV7qCfUEj5IEwVHZqpp9zn65LG4tFeG79OyQ/xuvz9VF5JX4= X-Google-Smtp-Source: AGHT+IE4h6kKa8ImblWN/wSaAxT1ozLFWO8Q5odryrslZs6cMGQRX4EpAVW+vYzweoZ5tLtp/0mfAQ== X-Received: by 2002:a05:6122:2a02:b0:526:2210:5b64 with SMTP id 71dfb90a1353d-52d9c6fdba5mr1258898e0c.9.1747179911930; Tue, 13 May 2025 16:45:11 -0700 (PDT) Received: from localhost.localdomain ([2800:2121:b000:82e:5dfc:d18e:7e38:2cec]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-52c67dd1aa9sm6151343e0c.4.2025.05.13.16.45.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 May 2025 16:45:11 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Tue, 13 May 2025 20:45:00 -0300 Message-ID: <20250513234500.4930-1-jamrial@gmail.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250513162533.GE29660@pb2> References: <20250513162533.GE29660@pb2> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/iamf_parse: increase PutBytes buffer when writing AAC extradata X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: We may write up to 43 bits, so 5 bytes is not enough. Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:406 Fixes: 398527871/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6602025714647040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavformat/iamf_parse.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index abedfdb066..11c27ebe98 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -285,7 +285,7 @@ static int update_extradata(AVCodecParameters *codecpar) AV_WL16A(codecpar->extradata + 16, AV_RB16A(codecpar->extradata + 16)); // Byte swap Output Gain break; case AV_CODEC_ID_AAC: { - uint8_t buf[5]; + uint8_t buf[6]; init_put_bits(&pb, buf, sizeof(buf)); ret = init_get_bits8(&gb, codecpar->extradata, codecpar->extradata_size); @@ -304,6 +304,10 @@ static int update_extradata(AVCodecParameters *codecpar) skip_bits(&gb, 4); put_bits(&pb, 4, codecpar->ch_layout.nb_channels); // set channel config ret = put_bits_left(&pb); + while (ret >= 32) { + put_bits32(&pb, get_bits_long(&gb, 32)); + ret -= 32; + } put_bits(&pb, ret, get_bits_long(&gb, ret)); flush_put_bits(&pb); -- 2.49.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".