From 5470d024e18968b3bdef2b745966f7617f1eb9f2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 17 Feb 2025 11:41:25 -0300 Subject: [PATCH] avformat/iamf_parse: ensure there's at most one of each parameter types in audio elements Should prevent potential memory leaks on invalid files. Signed-off-by: James Almer --- libavformat/iamf_parse.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index f71ea5315b..db40ae37ab 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -752,11 +752,19 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) type = ffio_read_leb(pbc); if (type == AV_IAMF_PARAMETER_DEFINITION_MIX_GAIN) ret = AVERROR_INVALIDDATA; - else if (type == AV_IAMF_PARAMETER_DEFINITION_DEMIXING) + else if (type == AV_IAMF_PARAMETER_DEFINITION_DEMIXING) { + if (element->demixing_info) { + ret = AVERROR_INVALIDDATA; + goto fail; + } ret = param_parse(s, c, pbc, type, audio_element, &element->demixing_info); - else if (type == AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN) + } else if (type == AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN) { + if (element->recon_gain_info) { + ret = AVERROR_INVALIDDATA; + goto fail; + } ret = param_parse(s, c, pbc, type, audio_element, &element->recon_gain_info); - else { + } else { unsigned param_definition_size = ffio_read_leb(pbc); avio_skip(pbc, param_definition_size); }