[FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()
James Almer
jamrial at gmail.com
Fri Jun 20 03:53:33 EEST 2025
On 6/19/2025 9:32 PM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mov.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0a..22488b517cb 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
>
> st = item->st;
> sc = st->priv_data;
> + if (!sc->sample_sizes)
> + return AVERROR_INVALIDDATA;
> +
> st->codecpar->width = item->width;
> st->codecpar->height = item->height;
Does the following fix it too?
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0..a2a9c10f20 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5430,18 +5430,18 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item)
> sc->stsc_data[0].first = 1;
> sc->stsc_data[0].count = 1;
> sc->stsc_data[0].id = 1;
> - sc->chunk_count = 1;
> sc->chunk_offsets = av_malloc_array(1, sizeof(*sc->chunk_offsets));
> if (!sc->chunk_offsets)
> return AVERROR(ENOMEM);
> - sc->sample_count = 1;
> + sc->chunk_count = 1;
> sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes));
> if (!sc->sample_sizes)
> return AVERROR(ENOMEM);
> - sc->stts_count = 1;
> + sc->sample_count = 1;
> sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data));
> if (!sc->stts_data)
> return AVERROR(ENOMEM);
> + sc->stts_count = 1;
> sc->stts_data[0].count = 1;
> // Not used for still images. But needed by mov_build_index.
> sc->stts_data[0].duration = 0;
I'd rather have the checks in sanity_checks() detect this, so if
sc->sample_sizes is NULL then sc->sample_count should be 0.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250619/b7747948/attachment.sig>
More information about the ffmpeg-devel
mailing list