[FFmpeg-devel] [PATCH] avformat/mov: perform sanity checks for heif before index building
Michael Niedermayer
michael at niedermayer.cc
Thu Jan 9 01:14:11 EET 2025
On Wed, Jan 08, 2025 at 06:05:16PM -0300, James Almer wrote:
> On 1/8/2025 5:31 PM, Michael Niedermayer wrote:
> > Fixes: undefined NULL pointer use
> > Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
> >
> > This performs equivalent sanity checks as are done in mov_read_trak()
> > before mov_build_index()
> >
> > Reported-by: Dale Curtis <dalecurtis at chromium.org>
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/mov.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 56f732bfcfb..33823b98b2f 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -10411,6 +10411,10 @@ static int mov_parse_heif_items(AVFormatContext *s)
> > if (sc->sample_count != 1 || sc->chunk_count != 1)
> > return AVERROR_INVALIDDATA;
> > + /* sanity checks */
> > + if (!sc->stts_count || !sc->stsc_count)
> > + return AVERROR_INVALIDDATA;
> > +
> > sc->sample_sizes[0] = item->extent_length;
> > sc->chunk_offsets[0] = item->extent_offset + offset;
>
> Ok, so the issue is a rogue stts atom showing up after the item stream was
> allocated.
>
> Do you think copying the thorough checks from mov_read_trak() may be safer
> than simply looking for count values to not be 0?
> Like so:
i had copied that then simplified it and these 2 checks is what remains after
removing impossible cases. but if you replace sample_count and chunk_count
checks. sure the whole could be reused.
ill post a patch that does this in a factored out function ((avoid duplicating
it as its identical more or less)
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250109/36b98202/attachment.sig>
More information about the ffmpeg-devel
mailing list