From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id CC8574F8F5 for ; Mon, 23 Jun 2025 16:41:15 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id BE13468DB7A; Mon, 23 Jun 2025 19:41:13 +0300 (EEST) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id AC2C968CAB9 for ; Mon, 23 Jun 2025 19:41:11 +0300 (EEST) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-747e41d5469so4720623b3a.3 for ; Mon, 23 Jun 2025 09:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750696869; x=1751301669; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=2AQwMvqmvLz/aRHKmUvGIlPElknL0PZkP5gJBym7RLs=; b=dYll8abe9eHuxwDbBdc5IgSAtiQYcv28j2+zRLJb5K+O+5vuubl65bVQA6L1bKmzwy BHloxQijWi1FnXKkVwLpXlRS9evHf7grBGizP/PSlbVUm1vKhaKSDhODYgQnZJp7w+Jk I79tgP9v8G1DhVp0rR5nHnx1Sy+zYGTAUDnf9XeroA1Bu7t5CTSaGB7TJzCaswruzV5X b93dDPVpm9xoOhkYIrGSrz6rwqvnF+m7WvKD0E2LyCM/6MbBDRJTV6K+4OS8HyTELqkO 4jGvRvrxs6L/5OMEpObK1+bWfk+f5BrIfdTb+2HBLjhAgYCA5ePwxKkiHG+hwdcAUnf2 /Q8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750696869; x=1751301669; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2AQwMvqmvLz/aRHKmUvGIlPElknL0PZkP5gJBym7RLs=; b=Xy/P0XtYXoyk4/K8wqMnKXCQMyPBjWwKjUFAm42PCb1T4RptFW7cxqyWAUvD89xoGB 75mOqr8AA5CLENb3LCVa7m3ELLXAp7iMHNEZcuEz4Q8cxroWZbWhJX1ZBgVlr77FZCcX tGYMX9C7GMPYgm1x2TqgPbhzmBsISVtpcgO9KVY9bPwJ9R6RlAlMAQHdCvUsuKgQgMSh yXMSAYUefJRvRvtIDUT+K1MTmQc0J+1roGouLOO4s327HaqW3Yy42/Q4e85BknE0nFfB umV+uoDSpu0zJsP4mAm0IxSp0kepiQV4RlPr9DeDQsOGjdZhKjRXE7B6SshBtlEpWca7 HP/Q== X-Gm-Message-State: AOJu0Ywi1vhQ+WdQy2ZXhPowQ7gHGVQD4/I84yeQTFmjNhlWrQ/sew8I AQDRZ/kwM49//CRIrb/Xfv1iPw4rSBz5jAF9BmH7njHBhyLU3D3K0P9DgfSrMg== X-Gm-Gg: ASbGncsmfl/KfZgEdfF9Zpr+RYsoG8SqRxWZrXAdOLrT97VXPSjktaPiv+XEpF0bVN0 Xr8BYulU2XzFBIdEr8vGtXzxHgn0+0Mwvr1RTacv9sjaQhGNJSHsGHfM9qWZGunR7OaZbKiNxbj LdyQYd8/hWIF2dsou8BeP8zT4zor1bFcxZyEsw5biQVetTIQF0wboC2uWOvnvR3EfHKisjyOtsX GbWXZCqb5EwR0ovfpAlYdb0dchnz/Db869AwyqkVEVGWOcXI5fcaGItCCSUUnfjlz9U2LKaQMjP ZiKJtb+UhCxyC/pVMoWHUzmJ6//FMWv4xEyaf7sOMYriqbxQ6AKI43TOXv/b X-Google-Smtp-Source: AGHT+IFD5V5MruHn0UMoKrfZ1F1cBhcKB0+EWboP49W1SQuqjECubvybDd+ygxAH3P4/iRdC/p902g== X-Received: by 2002:a05:6a00:92a5:b0:736:a8db:93b4 with SMTP id d2e1a72fcca58-7490d4f531amr18439730b3a.2.1750696868784; Mon, 23 Jun 2025 09:41:08 -0700 (PDT) Received: from Gryph ([2800:2121:b000:82e:fc32:7e18:9327:aa63]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74939b5013csm3747039b3a.24.2025.06.23.09.41.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Jun 2025 09:41:08 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Mon, 23 Jun 2025 13:40:53 -0300 Message-ID: <20250623164053.3815-1-jamrial@gmail.com> X-Mailer: git-send-email 2.50.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/iamf_parse: prevent overreads in update_extradata X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Fixes: libavcodec/put_bits.h:232:32: runtime error: shift exponent -19 is negative Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:406 Fixes: 398527871/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6602025714647040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavformat/iamf_parse.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 71497876ac..46a74ea679 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -288,7 +288,7 @@ static int update_extradata(AVCodecParameters *codecpar) uint8_t buf[6]; int size = FFMIN(codecpar->extradata_size, sizeof(buf)); - init_put_bits(&pb, buf, size); + init_put_bits(&pb, buf, sizeof(buf)); ret = init_get_bits8(&gb, codecpar->extradata, size); if (ret < 0) return ret; @@ -304,7 +304,10 @@ static int update_extradata(AVCodecParameters *codecpar) skip_bits(&gb, 4); put_bits(&pb, 4, codecpar->ch_layout.nb_channels); // set channel config - ret = put_bits_left(&pb); + ret = get_bits_left(&gb); + if (ret < 0) + return AVERROR_INVALIDDATA; + ret = FFMIN(ret, put_bits_left(&pb)); while (ret >= 32) { put_bits32(&pb, get_bits_long(&gb, 32)); ret -= 32; @@ -317,9 +320,10 @@ static int update_extradata(AVCodecParameters *codecpar) } case AV_CODEC_ID_FLAC: { uint8_t buf[13]; + int size = FFMIN(codecpar->extradata_size, sizeof(buf)); init_put_bits(&pb, buf, sizeof(buf)); - ret = init_get_bits8(&gb, codecpar->extradata, codecpar->extradata_size); + ret = init_get_bits8(&gb, codecpar->extradata, size); if (ret < 0) return ret; @@ -328,11 +332,14 @@ static int update_extradata(AVCodecParameters *codecpar) put_bits(&pb, 20, get_bits(&gb, 20)); // samplerate skip_bits(&gb, 3); put_bits(&pb, 3, codecpar->ch_layout.nb_channels - 1); - ret = put_bits_left(&pb); + ret = get_bits_left(&gb); + if (ret < 0) + return AVERROR_INVALIDDATA; + ret = FFMIN(ret, put_bits_left(&pb)); put_bits(&pb, ret, get_bits(&gb, ret)); flush_put_bits(&pb); - memcpy(codecpar->extradata, buf, sizeof(buf)); + memcpy(codecpar->extradata, buf, put_bytes_output(&pb)); break; } } -- 2.50.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".