eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-02-03 20:09:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
122,095 Commits 38 Branches 415 Tags
6258e61c4ddc073a4a94de217e9dbaa42a23ae1e
Commit Graph

49 Commits

Author SHA1 Message Date
James Almer
5cdc1cad77 avformat/iamf_parse: add a few extra sanity checks 
Signed-off-by: James Almer <jamrial@gmail.com>
 2025-12-09 17:54:11 -03:00
James Almer
2d5abf27e5 avformat/iamf_parse: fix parsing of Scalable layouts with Mono and Stereo layers 
An ASAN heap-buffer-overflow in scalable_channel_layout_config was caused by an
unchecked assumption that the channel layout of a scalable audio layer is a
superset of the previous layer's channel layout.

scalable_channel_layout_config constructs a channel layout map by copying
channels from the previous layer and adding new ones. The memory allocation is
based on the target loudspeaker_layout. However, if the target layout doesn't
encompass all previous channels (e.g., Mono to Stereo), copying previous
channels followed by adding current ones could exceed the allocated size,
causing a heap buffer overflow.

This commit adds an exception for the know case of Mono -> Stereo, and a check
to ensure the previous layer's channel layout is a subset of the current
layer's layout by comparing their masks. If the condition isn't met,
an error is returned.

Fixes: https://issues.oss-fuzz.com/issues/464965414

Co-authored-by: Oliver Chang <ochang@google.com>
Signed-off-by: James Almer <jamrial@gmail.com>
 2025-12-09 17:54:11 -03:00
James Almer
faa382e5b1 avformat/iamf_parse: ensure the stream count in a scalable channel representation is equal to the audio element's stream count 
Signed-off-by: James Almer <jamrial@gmail.com>
 2025-11-26 12:01:17 -03:00
James Almer
554ae5ada9 avformat/iamf_parse: ensure each layout in an scalable channel representation has an increasing number of channels 
Fixes issue #21013

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-11-26 12:01:17 -03:00
Timo Rothenpieler
262d41c804 all: fix typos found by codespell 2025-08-03 13:48:47 +02:00
James Almer
1abc25cd23 avformat/iamf_parser: remove unreachable code 
expanded_loudspeaker_layout is only present and read on the first layer.

Fixes Coverity issue #1655173.

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-06-26 16:33:04 -03:00
James Almer
cd2461e627 avformat/iamf: fix setting channel layout for Scalable layers 
The way streams are coded in an IAMF struct follows a scalable model where the
channel layouts for each layer may not match the channel order our API can
represent in a Native order layout.

For example, an audio element may have six coded streams in the form of two
stereo streams, followed by two mono streams, and then by another two stereo
streams, for a total of 10 channels, and define for them four scalable layers
with loudspeaker_layout values "Stereo", "5.1ch", "5.1.2ch", and "5.1.4ch".
The first layer references the first stream, and each following layer will
reference all previous streams plus extra ones.
In this case, the "5.1ch" layer will reference four streams (the first two
stereo and the two mono) to encompass six channels, which does not match out
native layout 5.1(side) given that FC and LFE come after FL+FR but before
SL+SR, and here, they are at the end.

For this reason, we need to build Custom order layouts that properly represent
what we're exporting.

----
Before:

  Stream group #0:0[0x12c]: IAMF Audio Element:
    Layer 0: stereo
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
    Layer 1: 5.1(side)
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
    Layer 2: 5.1.2
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:4[0x4]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
    Layer 3: 5.1.4
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:4[0x4]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:5[0x5]: Audio: opus, 48000 Hz, stereo, fltp (dependent)

----
AFter:

  Stream group #0:0[0x12c]: IAMF Audio Element:
    Layer 0: stereo
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
    Layer 1: 6 channels (FL+FR+SL+SR+FC+LFE)
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
    Layer 2: 8 channels (FL+FR+SL+SR+FC+LFE+TFL+TFR)
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:4[0x4]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
    Layer 3: 10 channels (FL+FR+SL+SR+FC+LFE+TFL+TFR+TBL+TBR)
      Stream #0:0[0x0]: Audio: opus, 48000 Hz, stereo, fltp (default)
      Stream #0:1[0x1]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:2[0x2]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:3[0x3]: Audio: opus, 48000 Hz, mono, fltp (dependent)
      Stream #0:4[0x4]: Audio: opus, 48000 Hz, stereo, fltp (dependent)
      Stream #0:5[0x5]: Audio: opus, 48000 Hz, stereo, fltp (dependent)

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-06-24 14:41:43 -03:00
James Almer
13e81dbd27 avformat/iamf_parse: try to retype the channel layout for ambisonics_mode == 0 
In most cases, the channel ids will match the standard Ambisonic Order, saving us the
need to use a custom order layout.

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-06-24 14:41:43 -03:00
James Almer
a7beac704b avformat/iamf_parse: prevent overreads in update_extradata 
Fixes: libavcodec/put_bits.h:232:32: runtime error: shift exponent -19 is negative
Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:406
Fixes: 398527871/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6602025714647040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
 2025-06-24 14:41:43 -03:00
James Almer
3f94201324 avformat/iamf_parse: increase PutBytes buffer when writing AAC extradata 
We may write up to 43 bits, so 5 bytes is not enough.

Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:406
Fixes: 398527871/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6602025714647040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
 2025-05-14 10:32:23 -03:00
Andreas Rheinhardt
ede2b391cc avcodec/put_bits: Add and use put_bits63() 
When using a 64bit PutBitContext (i.e. on x64), put_bits_no_assert()
can naturally write up to 63 bits. So one can avoid treating the
cases <32bits, 32 bits and <63 bits differently.

As it turns out, no user actually wants to write 64 bit at once
(maybe except testprograms).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2025-03-11 04:37:21 +01:00
James Almer
5470d024e1 avformat/iamf_parse: ensure there's at most one of each parameter types in audio elements 
Should prevent potential memory leaks on invalid files.

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-02-19 19:51:21 -03:00
James Almer
0526535cd5 avformat/iamf_parse: add missing constrains for num_parameters in audio_element_oub() 
Fixes ticket #11475.

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-02-19 19:51:21 -03:00
James Almer
d5873be583 avformat/iamf_parse: add missing av_free() call on failure path 
Fixes ticket #11416

Signed-off-by: James Almer <jamrial@gmail.com>
 2025-01-13 17:28:22 -03:00
Michael Niedermayer
4485a0fd77 avformat/iamf_parse: Check output_channel_count 
Fixes: -nan is outside the range of representable values of type 'int'
Fixes: 377072730/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6545416570601472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2025-01-08 23:23:26 +01:00
James Almer
fb5e8ea971 avformat/iamf_parse: fix setting duration for the last subblock in a parameter definition 
When subblock durations are constant, the last block may be smaller and the
value needs to be calculated.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-12-15 20:41:05 -03:00
James Almer
d38fc25519 avformat/iamf_parse: add checks to parameter definition durations 
Section 3.6.1 of the IAMF spec states "When constant_subblock_duration is equal to 0, the summation of all
subblock_duration in this parameter block SHALL be equal to duration.".

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-12-15 20:37:39 -03:00
James Almer
d255f90242 avformat/iamf_parse: add support for expanded channel layouts 
Defined in Immersive Audio Model and Formats 1.1.0, sections 3.6.2 and 3.7.3

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-12-13 16:36:10 -03:00
Michael Niedermayer
4cc1495aca avformat/iamf_parse: reject ambisonics mode > 1 
ambisonics mode > 1 does not initialize any layer but layer 0
is unconditionally dereferenced

Fixes: poc-2024-11
Fixes: null pointer dereference
Found-by: 苏童 <220235212@seu.edu.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-12-02 02:51:38 +01:00
James Almer
edc7b67508 avformat/iamf: use the new Binaural channel layout 
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-11-13 12:38:04 -03:00
James Almer
a4228a0ac1 avformat/iamf_parser: use ffio_read_size() where useful 
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-31 23:44:13 -03:00
Marvin Scholz
b6a0eab528 avformat/iamf_parse: Fix return of uninitialized value 
The ret value here is not yet intialized so the return would return
uninitialized data. What was probably meant to be checked here was the
return value of ffio_read_size, which can return an error.

Introduced in 38bcb3ba7b

Fixes: CID1618758
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-31 21:21:39 -03:00
James Almer
fa5d3cc653 avformat/iamf_parse: use get_bits_long() to read the remaining AAC extradata bits 
The output of put_bits_left() here can be as big as 27, which is a bit
count not supported by get_bits().

Fixes fate-iamf-stereo-demux when using --assert-level=2

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-31 14:51:32 -03:00
James Almer
38bcb3ba7b avformat/iamf_parse: fix parsing AAC DecoderConfigDescriptor 
Use ff_mp4_read_descr() to read both the tags and the vlc value
that comes after it, which was not being taken into account.

Ref: https://github.com/AOMediaCodec/libiamf/issues/119

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-31 11:11:42 -03:00
Michael Niedermayer
7e5410eadb avformat/iamf_parse: clear padding 
Fixes: use of uninitialized value
Fixes: 70929/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5931276639469568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-08-18 23:05:40 +02:00
James Almer
66c05dc031 avformat/iamf_parse: ignore Audio Elements with an unsupported type 
Better fix for the NULL pointer dereference from d7f83fc2f4.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-14 23:55:40 -03:00
James Almer
94165d1b79 avformat/iamf: use aligned intreadwrite macros where possible 
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-08-07 00:16:21 -03:00
Michael Niedermayer
ed96ac87a9 avformat/iamf_parse: Check for 0 samples 
Fixes: division by zero
Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-08-01 00:18:02 +02:00
Michael Niedermayer
9b9e02f2ff avformat/iamf_parse: Check for negative sample sizes 
Fixes: index -2 out of bounds for type 'const enum AVCodecID [3]'
Fixes: 69866/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4971166119821312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-07-21 15:35:08 +02:00
James Almer
9ce065c90d avformat/iamf_parse: sanitize audio_roll_distance values 
Ensure the values are spec complaint and that no integer overflow can happen.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-07-19 21:07:32 -03:00
James Almer
7dabad079b avformat/iamf: byteswap values in OpusHeader 
Clause 3.11.1 of IAMF[1] states the values are stored in big endian, in
contrast to the Ogg Encapsulation for Opus[2] where they are in little endian.

[1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#opus-specific
[2]https://datatracker.ietf.org/doc/html/rfc7845#section-5.1

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-07-18 23:27:20 -03:00
James Almer
54b8d5e201 avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance 
The semantics for the field are different than the one in AVCodecParameters,
so use the name defined in the IAMF spec to prevent confusion.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-07-18 23:27:20 -03:00
Felicia Lim
2094f40295 avformat/iamf_writer: fix coded audio_roll_distance values 
'seek_preroll' corresponds to 'audio_roll_distance' in IAMF[1]

[1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#audio_roll_distance

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-07-18 23:27:20 -03:00
James Almer
b248dace92 avformat/iamf_parse: keep substream count consistent 
Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream')
Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-07-16 18:43:14 +02:00
James Almer
0ae157b360 avformat/iamf_parse: add missing padding to AAC extradata 
Fixes: out of array access
Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-06-19 10:12:57 -03:00
Michael Niedermayer
7fab9b9761 avformat/iamf_parse: 0 layers are not allowed 
Fixes: out of array access
Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-06-19 12:54:46 +02:00
Michael Niedermayer
c69e6cccd7 avformat/iamf_parse: consider nb_substreams when accessing substreams array 
Fixes: out of array access
Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-06-19 12:52:20 +02:00
Michael Niedermayer
c21fb3624b avformat/iamf_parse: Remove dead case 
Fixes: CID1559546 Logically dead code

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-06-12 00:39:11 +02:00
Michael Niedermayer
4593cf7ab3 avformat/iamf_parse: Check sound_system 
Fixes: index 13 out of bounds for type 'const struct IAMFSoundSystemMap [13]'
Fixes: 67796/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4554553191104512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-04-04 19:38:29 +02:00
James Almer
0a693bce62 avformat/iamf_parse: keep count_label consistent on language_label allocation failure 
Fixes: null pointer dereference
Fixes: 67023/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6011025237278720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2024-04-01 18:17:28 +02:00
Andreas Rheinhardt
790f793844 avutil/common: Don't auto-include mem.h 
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.

Keep it for external users in order to not cause breakages.

Also improve the other headers a bit while just at it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2024-03-31 00:08:43 +01:00
James Almer
56d630e6c2 avformat/iamf_writer: update extradata from packet side data 
Some encoders, like flac, propagate updated extradata at the end of encoding
as packet side data. Use it to update the relevant codec_config.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-03-04 21:14:05 -03:00
James Almer
80131321c4 avformat/iamfdec: set disposition flags to output streams 
if there's an audio layer with a single stream that can be rendered alone, mark it
as default. Otherwise, mark every stream as dependent.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-02-19 20:53:36 -03:00
Andreas Rheinhardt
18af922c53 avformat/iamf: Don't mix ownership and non-ownership pointers 
IAMFAudioElement and IAMFMixPresentation currently contain
pointers to independently allocated objects that are sometimes
owned by said structures and sometimes not.

More precisely, upon success the demuxer transfers ownership
of these other objects newly created AVStreamGroups, but it
keeps its pointers. iamf_read_close() therefore always resets
these pointers (because the cleanup code always treats them
as ownership pointers). This leads to memory leaks in case
iamf_read_header() without having attached all of these
objects to stream groups.

The muxer has a similar issue: It also clears these pointers
(pointing to objects owned by stream groups created by the user)
in its deinit function.

This commit fixes this memleak by explicitly adding non-ownership
pointers; this also allows to remove the code to reset the
ownership pointers.

Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2024-02-19 23:30:00 +01:00
James Almer
fa469545ba avcodec: move leb reading functions to its own header 
Signed-off-by: James Almer <jamrial@gmail.com>
 2024-01-31 11:19:16 -03:00
James Almer
0b8e51b584 avformat/iamf_parse: use the public iamf helpers to allocate structs 
Should fix memory leaks from non-freed fields due to missing AVClass
in the allocated structs.

Signed-off-by: James Almer <jamrial@gmail.com>
 2024-01-23 20:57:41 -03:00
Paul B Mahol
04cb307508 avformat/iamf_parse: fix yet annother logical coding error 
Signed-off-by: James Almer <jamrial@gmail.com>
 2023-12-21 12:24:54 -03:00
Paul B Mahol
7a9aafde3d avformat/iamf_parse: fix another logical coding error 
Signed-off-by: James Almer <jamrial@gmail.com>
 2023-12-21 11:39:24 -03:00
James Almer
4ee05182b7 avformat: Immersive Audio Model and Formats demuxer 
Signed-off-by: James Almer <jamrial@gmail.com>
 2023-12-18 15:20:59 -03:00