Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-04 14:40:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

avformat: Fix various extradata padding issues

Browse source 
Reported-by: Kenan Alghythee <kalghy2@uic.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8439e02037)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2026-05-01 18:42:48 +02:00
parent 3b0c1f4506
commit c7a0013d5f
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
2 changed files with 13 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

13
libavformat/iamf_writer.c
View file

@ -125,9 +125,14 @@ static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg,
}
populate_audio_roll_distance(codec_config);
if (st->codecpar->extradata_size) {
codec_config->extradata = av_memdup(st->codecpar->extradata, st->codecpar->extradata_size);
if (st->codecpar->extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_INVALIDDATA;
codec_config->extradata = av_malloc(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!codec_config->extradata)
return AVERROR(ENOMEM);
memcpy(codec_config->extradata, st->codecpar->extradata, st->codecpar->extradata_size);
memset(codec_config->extradata + st->codecpar->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
codec_config->extradata_size = st->codecpar->extradata_size;
ret = update_extradata(codec_config);
if (ret < 0)
@ -1113,7 +1118,7 @@ int ff_iamf_write_audio_frame(const IAMFContext *iamf, AVIOContext *pb,
AV_PKT_DATA_NEW_EXTRADATA,
&new_extradata_size);
if (!new_extradata)
if (!new_extradata || new_extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_INVALIDDATA;
audio_element = get_audio_element(iamf, audio_substream_id);
if (!audio_element)
@ -1123,11 +1128,13 @@ int ff_iamf_write_audio_frame(const IAMFContext *iamf, AVIOContext *pb,
return AVERROR(EINVAL);
av_free(codec_config->extradata);
codec_config->extradata = av_memdup(new_extradata, new_extradata_size);
codec_config->extradata = av_malloc(new_extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!codec_config->extradata) {
codec_config->extradata_size = 0;
return AVERROR(ENOMEM);
}
memcpy(codec_config->extradata, new_extradata, new_extradata_size);
memset(codec_config->extradata + new_extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
codec_config->extradata_size = new_extradata_size;
return update_extradata(codec_config);

7
libavformat/mov.c
View file

@ -925,10 +925,9 @@ static int mov_read_iacb(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM);
iamf = &sc->iamf->iamf;
st->codecpar->extradata = av_malloc(descriptors_size);
if (!st->codecpar->extradata)
return AVERROR(ENOMEM);
st->codecpar->extradata_size = descriptors_size;
ret = ff_alloc_extradata(st->codecpar, descriptors_size);
if (ret < 0)
return ret;
ret = avio_read(pb, st->codecpar->extradata, descriptors_size);
if (ret != descriptors_size)