[FFmpeg-devel] [PATCH] avformat/mov: perform sanity checks for heif before index building
James Almer
jamrial at gmail.com
Wed Jan 8 23:05:16 EET 2025
On 1/8/2025 5:31 PM, Michael Niedermayer wrote:
> Fixes: undefined NULL pointer use
> Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
>
> This performs equivalent sanity checks as are done in mov_read_trak()
> before mov_build_index()
>
> Reported-by: Dale Curtis <dalecurtis at chromium.org>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mov.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 56f732bfcfb..33823b98b2f 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10411,6 +10411,10 @@ static int mov_parse_heif_items(AVFormatContext *s)
> if (sc->sample_count != 1 || sc->chunk_count != 1)
> return AVERROR_INVALIDDATA;
>
> + /* sanity checks */
> + if (!sc->stts_count || !sc->stsc_count)
> + return AVERROR_INVALIDDATA;
> +
> sc->sample_sizes[0] = item->extent_length;
> sc->chunk_offsets[0] = item->extent_offset + offset;
Ok, so the issue is a rogue stts atom showing up after the item stream
was allocated.
Do you think copying the thorough checks from mov_read_trak() may be
safer than simply looking for count values to not be 0?
Like so:
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index a881acf99d..e56a66e1b7 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10406,8 +10406,15 @@ static int mov_parse_heif_items(AVFormatContext *s)
> st->codecpar->width = item->width;
> st->codecpar->height = item->height;
>
> - if (sc->sample_count != 1 || sc->chunk_count != 1)
> + /* sanity checks */
> + if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
> + (!sc->sample_size && !sc->sample_count))) ||
> + (!sc->chunk_count && sc->sample_count) ||
> + (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count)) {
> + av_log(s, AV_LOG_ERROR, "HEIF item id %d has a broken header\n",
> + item->item_id);
> return AVERROR_INVALIDDATA;
> + }
>
> sc->sample_sizes[0] = item->extent_length;
> sc->chunk_offsets[0] = item->extent_offset + offset;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250108/2dae2fed/attachment.sig>
More information about the ffmpeg-devel
mailing list