[FFmpeg-cvslog] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0
Michael Niedermayer
git at videolan.org
Sun Apr 14 04:43:51 EEST 2024
ffmpeg | branch: release/6.1 | Michael Niedermayer <michael at niedermayer.cc> | Wed Mar 20 02:06:34 2024 +0100| [b171edca3c990fc2858f028bc01ffd828e762b2f] | committer: Michael Niedermayer
avformat/mov: Check sample_count and auxiliary_info_default_size to be 0
This combination causes 0 size arrays to be allocated and to leak later
Fixes: memleak
Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 3c43299e9e642e73b31be7ac7c49700949946e13)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b171edca3c990fc2858f028bc01ffd828e762b2f
---
libavformat/mov.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 55bafaa26a..20b6ef3dac 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6754,6 +6754,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
sample_count = avio_rb32(pb);
if (encryption_index->auxiliary_info_default_size == 0) {
+ if (sample_count == 0)
+ return AVERROR_INVALIDDATA;
+
encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
if (!encryption_index->auxiliary_info_sizes)
return AVERROR(ENOMEM);
More information about the ffmpeg-cvslog
mailing list