[FFmpeg-cvslog] [ffmpeg] avfilter/af_pan: fix sscanf() return value checks in parse_channel_name (branch master)

Fri, 20 Mar 2026 19:35:13 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new a43ea8bff7 avfilter/af_pan: fix sscanf() return value checks in 
parse_channel_name
a43ea8bff7 is described below

commit a43ea8bff79f23257313fc3e1a884aea9b7633ae
Author:     marcos ashton <[email protected]>
AuthorDate: Fri Mar 20 23:49:25 2026 +0000
Commit:     michaelni <[email protected]>
CommitDate: Sat Mar 21 00:44:30 2026 +0000

    avfilter/af_pan: fix sscanf() return value checks in parse_channel_name
    
    sscanf() returns EOF (-1) on input failure, which is non-zero and
    passes a bare truthy check. When this happens, the %n directive is
    never processed, so len stays uninitialized. Using that value to
    advance the arg pointer causes an out-of-bounds read and crash.
    
    Check for >= 1 instead, matching the fix applied to the other
    sscanf() call in init() by commit b5b6391d64.
    
    Fixes: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/22451
    Signed-off-by: marcos ashton <[email protected]>
---
 libavfilter/af_pan.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c
index 3c577edfe1..32bd28fe0a 100644
--- a/libavfilter/af_pan.c
+++ b/libavfilter/af_pan.c
@@ -70,7 +70,7 @@ static int parse_channel_name(char **arg, int *rchannel, int 
*rnamed)
 
     skip_spaces(arg);
     /* try to parse a channel name, e.g. "FL" */
-    if (sscanf(*arg, "%7[A-Z]%n", buf, &len)) {
+    if (sscanf(*arg, "%7[A-Z]%n", buf, &len) >= 1) {
         channel_id = av_channel_from_string(buf);
         if (channel_id < 0)
             return channel_id;
@@ -81,7 +81,7 @@ static int parse_channel_name(char **arg, int *rchannel, int 
*rnamed)
         return 0;
     }
     /* try to parse a channel number, e.g. "c2" */
-    if (sscanf(*arg, "c%d%n", &channel_id, &len) &&
+    if (sscanf(*arg, "c%d%n", &channel_id, &len) >= 1 &&
         channel_id >= 0 && channel_id < MAX_CHANNELS) {
         *rchannel = channel_id;
         *rnamed = 0;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to