xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat: Fix various extradata padding issues

Browse Source 
Reported-by: Kenan Alghythee <kalghy2@uic.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-05-01 18:42:48 +02:00
committed by michaelni
parent 23227a444d
commit 8439e02037
2 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/iamf_writer.c
+10 -3
View File
@@ -126,9 +126,14 @@ static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg,
}
populate_audio_roll_distance(codec_config);
if (st->codecpar->extradata_size) {
codec_config->extradata = av_memdup(st->codecpar->extradata, st->codecpar->extradata_size);
if (st->codecpar->extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_INVALIDDATA;
codec_config->extradata = av_malloc(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!codec_config->extradata)
return AVERROR(ENOMEM);
memcpy(codec_config->extradata, st->codecpar->extradata, st->codecpar->extradata_size);
memset(codec_config->extradata + st->codecpar->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
codec_config->extradata_size = st->codecpar->extradata_size;
ret = update_extradata(codec_config);
if (ret < 0)
@@ -1237,15 +1242,17 @@ int ff_iamf_write_audio_frame(const IAMFContext *iamf, AVIOContext *pb,
AV_PKT_DATA_NEW_EXTRADATA,
&new_extradata_size);
if (!new_extradata)
if (!new_extradata || new_extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_INVALIDDATA;
av_free(codec_config->extradata);
codec_config->extradata = av_memdup(new_extradata, new_extradata_size);
codec_config->extradata = av_malloc(new_extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!codec_config->extradata) {
codec_config->extradata_size = 0;
return AVERROR(ENOMEM);
}
memcpy(codec_config->extradata, new_extradata, new_extradata_size);
memset(codec_config->extradata + new_extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
codec_config->extradata_size = new_extradata_size;
return update_extradata(codec_config);
libavformat/mov.c
+3 -4
View File
@@ -932,10 +932,9 @@ static int mov_read_iacb(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return AVERROR(ENOMEM);
iamf = &sc->iamf->iamf;
st->codecpar->extradata = av_malloc(descriptors_size);
if (!st->codecpar->extradata)
return AVERROR(ENOMEM);
st->codecpar->extradata_size = descriptors_size;
ret = ff_alloc_extradata(st->codecpar, descriptors_size);
if (ret < 0)
return ret;
ret = avio_read(pb, st->codecpar->extradata, descriptors_size);
if (ret != descriptors_size)