[FFmpeg-cvslog] [ffmpeg] avcodec/cook: bound subpacket channel sum against channel count (branch master)

Sat, 30 May 2026 06:57:47 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 1152139b48 avcodec/cook: bound subpacket channel sum against channel 
count
1152139b48 is described below

commit 1152139b4898888f7ca3daa1caca715c87dc1e85
Author:     David Korczynski <[email protected]>
AuthorDate: Thu May 21 04:30:36 2026 -0700
Commit:     michaelni <[email protected]>
CommitDate: Sat May 30 13:57:13 2026 +0000

    avcodec/cook: bound subpacket channel sum against channel count
    
    Fixes: out of array read
    Fixes: evil.rm
    
    Found-by: Anthropic agents; validated and reported by Ada Logics.
    
    Signed-off-by: David Korczynski <[email protected]>
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/cook.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cook.c b/libavcodec/cook.c
index cc6005d3ff..8256afc2e4 100644
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1080,6 +1080,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
     int s = 0;
     unsigned int channel_mask = 0;
     int samples_per_frame = 0;
+    int total_channels = 0;
     int ret;
     int channels = avctx->ch_layout.nb_channels;
 
@@ -1237,10 +1238,12 @@ static av_cold int cook_decode_init(AVCodecContext 
*avctx)
         q->subpacket[s].gains2.now      = q->subpacket[s].gain_3;
         q->subpacket[s].gains2.previous = q->subpacket[s].gain_4;
 
-        if (q->num_subpackets + q->subpacket[s].num_channels > channels) {
-            av_log(avctx, AV_LOG_ERROR, "Too many subpackets %d for channels 
%d\n", q->num_subpackets, channels);
+        if (total_channels + q->subpacket[s].num_channels > channels) {
+            av_log(avctx, AV_LOG_ERROR, "Too many subpacket channels %d for 
channels %d\n",
+                   total_channels + q->subpacket[s].num_channels, channels);
             return AVERROR_INVALIDDATA;
         }
+        total_channels += q->subpacket[s].num_channels;
 
         q->num_subpackets++;
         s++;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to