From 66c05dc03163998fb9a90ebd53e2c39a4f95b7ea Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 14 Aug 2024 13:46:53 -0300 Subject: [PATCH] avformat/iamf_parse: ignore Audio Elements with an unsupported type Better fix for the NULL pointer dereference from d7f83fc2f423. Signed-off-by: James Almer --- libavformat/iamf_parse.c | 9 +++++++-- libavformat/iamfdec.c | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 296e49157b..bc8d726b53 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -636,6 +636,12 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) } audio_element_type = avio_r8(pbc) >> 5; + if (audio_element_type > AV_IAMF_AUDIO_ELEMENT_TYPE_SCENE) { + av_log(s, AV_LOG_DEBUG, "Unknown audio_element_type referenced in an audio element. Ignoring\n"); + ret = 0; + goto fail; + } + codec_config_id = ffio_read_leb(pbc); codec_config = ff_iamf_get_codec_config(c, codec_config_id); @@ -751,8 +757,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) if (ret < 0) goto fail; } else { - unsigned audio_element_config_size = ffio_read_leb(pbc); - avio_skip(pbc, audio_element_config_size); + av_assert0(0); } c->audio_elements[c->nb_audio_elements++] = audio_element; diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index 2e6608b868..ce6d4aa064 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -107,7 +107,7 @@ static int iamf_read_header(AVFormatContext *s) if (ret < 0) return ret; - if (!i && !j && audio_element->nb_layers && audio_element->layers[0].substream_count == 1) + if (!i && !j && audio_element->layers[0].substream_count == 1) st->disposition |= AV_DISPOSITION_DEFAULT; else st->disposition |= AV_DISPOSITION_DEPENDENT;