[FFmpeg-devel] [PATCH] avformat/mov: perform sanity checks for heif before index building

James Almer jamrial at gmail.com
Wed Jan 8 23:05:16 EET 2025


On 1/8/2025 5:31 PM, Michael Niedermayer wrote:
> Fixes: undefined NULL pointer use
> Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
> 
> This performs equivalent sanity checks as are done in mov_read_trak()
> before mov_build_index()
> 
> Reported-by: Dale Curtis <dalecurtis at chromium.org>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>   libavformat/mov.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 56f732bfcfb..33823b98b2f 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10411,6 +10411,10 @@ static int mov_parse_heif_items(AVFormatContext *s)
>           if (sc->sample_count != 1 || sc->chunk_count != 1)
>               return AVERROR_INVALIDDATA;
>   
> +            /* sanity checks */
> +        if (!sc->stts_count || !sc->stsc_count)
> +            return AVERROR_INVALIDDATA;
> +
>           sc->sample_sizes[0]  = item->extent_length;
>           sc->chunk_offsets[0] = item->extent_offset + offset;

Ok, so the issue is a rogue stts atom showing up after the item stream 
was allocated.

Do you think copying the thorough checks from mov_read_trak() may be 
safer than simply looking for count values to not be 0?
Like so:

> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index a881acf99d..e56a66e1b7 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10406,8 +10406,15 @@ static int mov_parse_heif_items(AVFormatContext *s)
>          st->codecpar->width  = item->width;
>          st->codecpar->height = item->height;
> 
> -        if (sc->sample_count != 1 || sc->chunk_count != 1)
> +        /* sanity checks */
> +        if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
> +                                (!sc->sample_size && !sc->sample_count))) ||
> +            (!sc->chunk_count && sc->sample_count) ||
> +            (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count)) {
> +            av_log(s, AV_LOG_ERROR, "HEIF item id %d has a broken header\n",
> +                   item->item_id);
>              return AVERROR_INVALIDDATA;
> +        }
> 
>          sc->sample_sizes[0]  = item->extent_length;
>          sc->chunk_offsets[0] = item->extent_offset + offset;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250108/2dae2fed/attachment.sig>


More information about the ffmpeg-devel mailing list