This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 7d612d27aea2ee7d7de291348bd7f02d64b1988b Author: Michael Niedermayer <[email protected]> AuthorDate: Fri May 1 18:42:48 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:55 2026 +0200 avformat: Fix various extradata padding issues Reported-by: Kenan Alghythee <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 8439e0203744a30d280668fcd086f74ed5001da1) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/iamf_writer.c | 13 ++++++++++--- libavformat/mov.c | 7 +++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c index fcf7929830..8d152c14a8 100644 --- a/libavformat/iamf_writer.c +++ b/libavformat/iamf_writer.c @@ -126,9 +126,14 @@ static int fill_codec_config(IAMFContext *iamf, const AVStreamGroup *stg, } populate_audio_roll_distance(codec_config); if (st->codecpar->extradata_size) { - codec_config->extradata = av_memdup(st->codecpar->extradata, st->codecpar->extradata_size); + if (st->codecpar->extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; + + codec_config->extradata = av_malloc(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec_config->extradata) return AVERROR(ENOMEM); + memcpy(codec_config->extradata, st->codecpar->extradata, st->codecpar->extradata_size); + memset(codec_config->extradata + st->codecpar->extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); codec_config->extradata_size = st->codecpar->extradata_size; ret = update_extradata(codec_config); if (ret < 0) @@ -1237,15 +1242,17 @@ int ff_iamf_write_audio_frame(const IAMFContext *iamf, AVIOContext *pb, AV_PKT_DATA_NEW_EXTRADATA, &new_extradata_size); - if (!new_extradata) + if (!new_extradata || new_extradata_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; av_free(codec_config->extradata); - codec_config->extradata = av_memdup(new_extradata, new_extradata_size); + codec_config->extradata = av_malloc(new_extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec_config->extradata) { codec_config->extradata_size = 0; return AVERROR(ENOMEM); } + memcpy(codec_config->extradata, new_extradata, new_extradata_size); + memset(codec_config->extradata + new_extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); codec_config->extradata_size = new_extradata_size; return update_extradata(codec_config); diff --git a/libavformat/mov.c b/libavformat/mov.c index e013e1cba5..222d79ec1f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -932,10 +932,9 @@ static int mov_read_iacb(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); iamf = &sc->iamf->iamf; - st->codecpar->extradata = av_malloc(descriptors_size); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); - st->codecpar->extradata_size = descriptors_size; + ret = ff_alloc_extradata(st->codecpar, descriptors_size); + if (ret < 0) + return ret; ret = avio_read(pb, st->codecpar->extradata, descriptors_size); if (ret != descriptors_size) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
