avfilter/af_pan: fix sscanf() return value checks in parse_channel_name

sscanf() returns EOF (-1) on input failure, which is non-zero and passes a bare truthy check. When this happens, the %n directive is never processed, so len stays uninitialized. Using that value to advance the arg pointer causes an out-of-bounds read and crash. Check for >= 1 instead, matching the fix applied to the other sscanf() call in init() by commit b5b6391d64. Fixes: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/22451 Signed-off-by: marcos ashton <marcosashiglesias@gmail.com> (cherry picked from commit a43ea8bff7) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2026-06-30 19:58:17 +00:00 · 2026-03-20 23:49:25 +00:00
parent 2c41325dbb
commit 4955c18f6e
1 changed files with 2 additions and 2 deletions
--- a/libavfilter/af_pan.c
+++ b/libavfilter/af_pan.c
@@ -70,7 +70,7 @@ static int parse_channel_name(char **arg, int *rchannel, int *rnamed)

    skip_spaces(arg);
    /* try to parse a channel name, e.g. "FL" */
-    if (sscanf(*arg, "%7[A-Z]%n", buf, &len)) {
+    if (sscanf(*arg, "%7[A-Z]%n", buf, &len) >= 1) {
        channel_id = av_channel_from_string(buf);
        if (channel_id < 0)
            return channel_id;
@@ -81,7 +81,7 @@ static int parse_channel_name(char **arg, int *rchannel, int *rnamed)
        return 0;
    }
    /* try to parse a channel number, e.g. "c2" */
-    if (sscanf(*arg, "c%d%n", &channel_id, &len) &&
+    if (sscanf(*arg, "c%d%n", &channel_id, &len) >= 1 &&
        channel_id >= 0 && channel_id < MAX_CHANNELS) {
        *rchannel = channel_id;
        *rnamed = 0;