[FFmpeg-devel] [PATCH 1/7] avformat/mov_chan: Check for FF_SANE_NB_CHANNELS

Mon Sep 16 17:30:34 EEST 2024

On 9/13/2024 2:48 PM, Michael Niedermayer wrote:
> On Fri, Sep 13, 2024 at 12:08:45PM +0200, Anton Khirnov wrote:
>> Quoting Michael Niedermayer (2024-09-13 01:33:31)
>>> We do not support more channels. For example avcodec_open2() limits channels this way too
>>>
>>> The example file contains multiple chunks with over 16 million channels
>>
>> We had this discussion already.
> 
> I remembered something too, but couldnt find the thread within teh time i was looking for it
> 
> 
>> Ad-hoc checks like this are only
>> addressing a symptom (probably one of many), and hide the actual bug.
> 
> If you have a better fix, submit it.
Does the following help with this sample?

> diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c
> index cc5b333129..4484a22a10 100644
> --- a/libavformat/mov_chan.c
> +++ b/libavformat/mov_chan.c
> @@ -543,10 +543,22 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st,
>          return 0;
> 
>      if (layout_tag == MOV_CH_LAYOUT_USE_DESCRIPTIONS) {
> -        int nb_channels = ch_layout->nb_channels ? ch_layout->nb_channels : num_descr;
> +        int nb_channels = ch_layout->nb_channels;
> +
> +        if (!num_descr || num_descr < nb_channels) {
> +            av_log(s, AV_LOG_ERROR, "got %d channel descriptions when at least %d were needed\n",
> +                   num_descr, nb_channels);
> +            return AVERROR_INVALIDDATA;
> +        }
> +
>          if (num_descr > nb_channels) {
> -            av_log(s, AV_LOG_WARNING, "got %d channel descriptions, capping to the number of channels %d\n",
> +            int strict = s->strict_std_compliance >= FF_COMPLIANCE_STRICT;
> +            av_log(s, strict ? AV_LOG_ERROR : AV_LOG_WARNING,
> +                   "got %d channel descriptions when number of channels is %d\n",
>                     num_descr, nb_channels);
> +            if (strict)
> +                return AVERROR_INVALIDDATA;
> +            av_log(s, AV_LOG_WARNING, "capping channel descriptions to the number of channels\n");
>              num_descr = nb_channels;
>          }

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240916/88b53d1c/attachment.sig>