PR #21642 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21642 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21642.patch
All callers of swr_set_matrix() in FFmpeg check this already, but it is a public function that can plausibly be given more channels. In which case out of array writes would occur This is likely a regression from when channel layouts where extended to support more than 64 channels Found-by: 이동준 <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> From f6ef7a720e0d19fda0a528d73325683bd22ab9c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Feb 2026 22:06:24 +0100 Subject: [PATCH 1/2] swresample: Check user chlayout in swr_set_matrix() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All callers in FFmpeg check this already, but it is a public function that can plausibly be given more channels. In which case out of array writes would occur This is likely a regression from when channel layouts where extended to support more than 64 channels Found-by: 이동준 <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libswresample/rematrix.c | 5 ++++- libswresample/swresample.c | 28 ++++++++++++++++------------ libswresample/swresample_internal.h | 1 + 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 76681e9229..3b2cd87ce2 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -66,7 +66,10 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) { int nb_in, nb_out, in, out; - if (!s || s->in_convert) // s needs to be allocated but not initialized + if (!s || s->in_convert || // s needs to be allocated but not initialized + swri_check_chlayout(s, &s->user_in_chlayout , "input") || + swri_check_chlayout(s, &s->user_out_chlayout, "output") + ) return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); diff --git a/libswresample/swresample.c b/libswresample/swresample.c index e7ce4a10aa..1a9d644e97 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -30,6 +30,20 @@ #define ALIGN 32 +int swri_check_chlayout(struct SwrContext *s, const AVChannelLayout *chl, const char *name) { + char l1[1024]; + int ret; + + if (!(ret = av_channel_layout_check(chl)) || chl->nb_channels > SWR_CH_MAX) { + if (ret) + av_channel_layout_describe(chl, l1, sizeof(l1)); + av_log(s, AV_LOG_WARNING, "%s channel layout \"%s\" is invalid or unsupported.\n", name, ret ? l1 : ""); + return AVERROR(EINVAL); + } + + return 0; +} + int swr_set_channel_mapping(struct SwrContext *s, const int *channel_map){ if(!s || s->in_convert) // s needs to be allocated but not initialized return AVERROR(EINVAL); @@ -162,19 +176,9 @@ av_cold int swr_init(struct SwrContext *s){ s->out.ch_count = s-> user_out_chlayout.nb_channels; s-> in.ch_count = s-> user_in_chlayout.nb_channels; - if (!(ret = av_channel_layout_check(&s->user_in_chlayout)) || s->user_in_chlayout.nb_channels > SWR_CH_MAX) { - if (ret) - av_channel_layout_describe(&s->user_in_chlayout, l1, sizeof(l1)); - av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : ""); + if (swri_check_chlayout(s, &s->user_in_chlayout , "input") || + swri_check_chlayout(s, &s->user_out_chlayout, "output")) return AVERROR(EINVAL); - } - - if (!(ret = av_channel_layout_check(&s->user_out_chlayout)) || s->user_out_chlayout.nb_channels > SWR_CH_MAX) { - if (ret) - av_channel_layout_describe(&s->user_out_chlayout, l2, sizeof(l2)); - av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : ""); - return AVERROR(EINVAL); - } ret = av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout); ret |= av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout); diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index b016ba3315..ca2e0d7534 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -198,6 +198,7 @@ struct SwrContext { av_warn_unused_result int swri_realloc_audio(AudioData *a, int count); +int swri_check_chlayout(struct SwrContext *s, const AVChannelLayout *chl, const char *name); void swri_noise_shaping_int16 (SwrContext *s, AudioData *dsts, const AudioData *srcs, const AudioData *noises, int count); void swri_noise_shaping_int32 (SwrContext *s, AudioData *dsts, const AudioData *srcs, const AudioData *noises, int count); -- 2.52.0 From 6a79e927f0789228a2224a6331273ae8625bcfd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 3 Feb 2026 22:19:16 +0100 Subject: [PATCH 2/2] swresample: Check ch layouts in swr_alloc_set_opts2() This way we can error out earlier Signed-off-by: Michael Niedermayer <[email protected]> --- libswresample/swresample.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 1a9d644e97..d777efd802 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -68,6 +68,8 @@ int swr_alloc_set_opts2(struct SwrContext **ps, if ((ret = av_opt_set_chlayout(s, "ochl", out_ch_layout, 0)) < 0) goto fail; + if ((ret = swri_check_chlayout(s, out_ch_layout, "ochl")) < 0) + goto fail; if ((ret = av_opt_set_int(s, "osf", out_sample_fmt, 0)) < 0) goto fail; @@ -77,6 +79,8 @@ int swr_alloc_set_opts2(struct SwrContext **ps, if ((ret = av_opt_set_chlayout(s, "ichl", in_ch_layout, 0)) < 0) goto fail; + if ((ret = swri_check_chlayout(s, in_ch_layout, "ichl")) < 0) + goto fail; if ((ret = av_opt_set_int(s, "isf", in_sample_fmt, 0)) < 0) goto fail; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
