From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id F217C49716
	for <ffmpegdev@gitmailbox.com>; Tue, 18 Jun 2024 00:35:16 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0FE6668D7AF;
	Tue, 18 Jun 2024 03:35:15 +0300 (EEST)
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 11AAF68D78D
 for <ffmpeg-devel@ffmpeg.org>; Tue, 18 Jun 2024 03:35:09 +0300 (EEST)
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-70436ac8882so3701506b3a.2
 for <ffmpeg-devel@ffmpeg.org>; Mon, 17 Jun 2024 17:35:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1718670906; x=1719275706; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=9cnk9Je7LzWqlv6uH6rrY8QG+inOmW+eCuPbluXfRUQ=;
 b=dC1EZ93MT0yFvAuARZVYflilI9nlxx0fGXWOhwDCohdidSKgpve7ph/6UM0C3asKvg
 xZPXCOvYFKUYHn/j+wENWyTP883m8n6HXz0yAXO1s1OgT9SRk35Ht2s5MAkDSZ+KDupe
 TbJ2m70XU7E6g6atE++8QR/ayRGGTaRuWWe977axSIiBkzIiYN+vzWgee1UZdIs08Zvw
 f84zYyHt1HAcVk4GWvs80mv9kbuyNXqo6IGhk6QlOsf5JjzGkIhXA0/6vRSlI/7Ykyhc
 tNR9NMTlL6PaZ7nq2hzKpCfIq0iWlvljnwTljCsR+DbsZVlQ3CVKL3CcnThfFAHtpFLr
 Y3WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1718670906; x=1719275706;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=9cnk9Je7LzWqlv6uH6rrY8QG+inOmW+eCuPbluXfRUQ=;
 b=R33LBwm8J4hkuzL2Fo/31FxSgJPgx7aPIx+IJdA7izF8czPKb1C7EwDxNvA8gmogXk
 Txe0GbhbC7/sKh/CAAWGaDXz+BCj+Fk2Ru7i06Q/CeO2hkbId6UXE5mNEvRcXmp9ENL4
 Jnrz+8FDZBJsSxxF1BPaWbkftwCW6rlBtsF7HY+Pduk8YwJtcYCkg0bqkFEZ9/fupje8
 g1k/HodixA6N09RmsuXoPP/HPFyEhLtud4t1A36CC1R8QRHRHba0NPjCWWysMERyh3hJ
 nDCy+xTSiBzi13vMbE0miLO6KnnOaOGou3etXJWcTypgKObns5f3cNHYdqGaIOokHOIe
 r0Rw==
X-Gm-Message-State: AOJu0YwiNFNpQKcszZSWiYOhgQRyx8UUqCJABX2hO+3DOQ+g4K9omF8Z
 /o9wmiatl669R4mt2u305oNsL9hpvkWqHegUYjB6j0/wixTYj26rJ/1cgw==
X-Google-Smtp-Source: AGHT+IFPzuhB9c51hxhWCGAuT0IACeRPLU4cNs3ROETRNnjnG5UcghwbLJ3khlVQGyRciL2pbf1Lwg==
X-Received: by 2002:aa7:8f8f:0:b0:704:2152:e4d2 with SMTP id
 d2e1a72fcca58-705d7177310mr10161831b3a.17.1718670906124; 
 Mon, 17 Jun 2024 17:35:06 -0700 (PDT)
Received: from [192.168.0.16] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-705ccb92a4bsm7933982b3a.212.2024.06.17.17.35.04
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 17 Jun 2024 17:35:05 -0700 (PDT)
Message-ID: <3f0f5466-d151-47c5-8973-6b191825c70f@gmail.com>
Date: Mon, 17 Jun 2024 21:35:06 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240616230831.912377-1-michael@niedermayer.cc>
 <20240616230831.912377-3-michael@niedermayer.cc>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240616230831.912377-3-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH 3/9] avformat/iamf_parse: Try to use less
 space after the array
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/3f0f5466-d151-47c5-8973-6b191825c70f@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamf_parse.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index 312090b247c..5c2ff6862a7 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -355,6 +355,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
>           substream_count = avio_r8(pb);
>           coupled_substream_count = avio_r8(pb);
>   
> +        if (substream_count + k > audio_element->nb_substreams)
> +            return AVERROR_INVALIDDATA;
> +
>           audio_element->layers[i].substream_count         = substream_count;
>           audio_element->layers[i].coupled_substream_count = coupled_substream_count;
>           if (output_gain_is_present_flag) {

LGTM, and ditto, change the commit message.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".