avformat/iamf_parse: Check sound_system

Fixes: index 13 out of bounds for type 'const struct IAMFSoundSystemMap [13]' Fixes: 67796/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4554553191104512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2024-04-04 00:20:34 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2024-04-04 19:38:29 +0200
commit: 4593cf7ab3f0ff2884880b625f1873f0eaf7a439 (patch)
tree: 21d00917e3e21dd6aecdba4c0a6844076b87758b
parent: 28c7094b25b689185155a6833caf2747b94774a4 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 3867adb117..f8074c2de1 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -934,6 +934,10 @@ static int mix_presentation_obu(void *s, IAMFContext *c, AVIOContext *pb, int le
             if (submix_layout->layout_type == 2) {
                 int sound_system;
                 sound_system = (byte >> 2) & 0xF;
+                if (sound_system >= FF_ARRAY_ELEMS(ff_iamf_sound_system_map)) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                 av_channel_layout_copy(&submix_layout->sound_system, &ff_iamf_sound_system_map[sound_system].layout);
             }
author	Michael Niedermayer <michael@niedermayer.cc>	2024-04-04 00:20:34 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2024-04-04 19:38:29 +0200
commit	4593cf7ab3f0ff2884880b625f1873f0eaf7a439 (patch)
tree	21d00917e3e21dd6aecdba4c0a6844076b87758b
parent	28c7094b25b689185155a6833caf2747b94774a4 (diff)