[FFmpeg-devel] [PATCH 1/7] avformat/mov_chan: Check for FF_SANE_NB_CHANNELS

[Michael Niedermayer]

We do not support more channels. For example avcodec_open2() limits channels this way too

The example file contains multiple chunks with over 16 million channels

Fixes: Timeout / DOS
Fixes: 67143/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-4858720481771520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavformat/mov_chan.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c
index cc5b3331290..2cc6b2a7797 100644
--- a/libavformat/mov_chan.c
+++ b/libavformat/mov_chan.c
@@ -30,6 +30,7 @@
 #include "libavutil/channel_layout.h"
 #include "libavutil/mem.h"
 #include "libavcodec/codec_id.h"
+#include "libavcodec/internal.h"
 #include "mov_chan.h"
 
 enum {
@@ -549,6 +550,10 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st,
                    num_descr, nb_channels);
             num_descr = nb_channels;
         }
+        if (nb_channels > FF_SANE_NB_CHANNELS) {
+            ret = AVERROR(ENOTSUP);
+            goto out;
+        }
 
         av_channel_layout_uninit(ch_layout);
         ret = av_channel_layout_custom_init(ch_layout, nb_channels);
-- 
2.46.0