From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
Date: Sun, 7 Jul 2024 23:28:54 -0300
Message-ID: <a1f609b3-5419-461b-960f-ae96c630a8f7@gmail.com> (raw)
In-Reply-To: <20240707215917.GT4991@pb2>
On 7/7/2024 6:59 PM, Michael Niedermayer wrote:
> On Sun, Jul 07, 2024 at 09:12:06PM +0200, Andreas Rheinhardt wrote:
>> Andreas Rheinhardt:
>>> Michael Niedermayer:
>>>> Fixes: CID1516994 Out-of-bounds access
>>>> Fixes: CID1516996 Out-of-bounds access
>>>> Fixes: CID1516999 Out-of-bounds access
>>>>
>>>> Sponsored-by: Sovereign Tech Fund
>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>> ---
>>>> libavfilter/af_surround.c | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
>>>> index e37dddc3614..fab39a37ea9 100644
>>>> --- a/libavfilter/af_surround.c
>>>> +++ b/libavfilter/af_surround.c
>>>> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>>>>
>>>> for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>>>> float iscale = 1.f;
>>>> + const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
>>>> + if (chan >= FF_ARRAY_ELEMS(sc_map))
>>>> + return AVERROR_PATCHWELCOME;
>>>>
>>>> ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>>>> 1, s->win_size, &iscale, 0);
>>>
>>> Can this happen?
>
> IMHO, this doesnt matter. A filter that depends on a audio channel layout
> API from another lib cannot depend on its implementation but just the
> public API/ABI
> So even if the av_channel_layout_* API didnt allow us to set such layout
> today we would need to check for it
>
> now can this happen?
> try this:
>
> ./ffmpeg -i matrixbench_mpeg2.mpg -af surround=chl_out="123456789" -f null -
>
> I get a
> Segmentation fault (core dumped)
>
> and it doesnt segfault after the patch
This is (probably) a regression since 66afa361e816.
Maybe an output layout sanity check should be added back to init() in
some form instead, to return EINVAL after an "Unsupported upmix" warning
message is printed, like it used to be the case.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-07-08 2:29 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
2024-07-09 6:11 ` Xiang, Haihao
2024-07-12 20:37 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask Michael Niedermayer
2024-07-08 13:49 ` Nuo Mi
2024-07-09 12:59 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 4/6] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 5/6] avfilter: Free out on error Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used Michael Niedermayer
2024-07-07 19:05 ` Andreas Rheinhardt
2024-07-07 19:12 ` Andreas Rheinhardt
2024-07-07 21:59 ` Michael Niedermayer
2024-07-08 2:28 ` James Almer [this message]
2024-07-12 22:36 ` [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a1f609b3-5419-461b-960f-ae96c630a8f7@gmail.com \
--to=jamrial@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git