[FFmpeg-cvslog] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

Michael Niedermayer git at videolan.org
Sun Apr 14 04:43:51 EEST 2024


ffmpeg | branch: release/6.1 | Michael Niedermayer <michael at niedermayer.cc> | Wed Mar 20 02:06:34 2024 +0100| [b171edca3c990fc2858f028bc01ffd828e762b2f] | committer: Michael Niedermayer

avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

This combination causes 0 size arrays to be allocated and to leak later

Fixes: memleak
Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 3c43299e9e642e73b31be7ac7c49700949946e13)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b171edca3c990fc2858f028bc01ffd828e762b2f
---

 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 55bafaa26a..20b6ef3dac 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6754,6 +6754,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     sample_count = avio_rb32(pb);
 
     if (encryption_index->auxiliary_info_default_size == 0) {
+        if (sample_count == 0)
+            return AVERROR_INVALIDDATA;
+
         encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
         if (!encryption_index->auxiliary_info_sizes)
             return AVERROR(ENOMEM);



More information about the ffmpeg-cvslog mailing list