Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-09 00:40:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

avformat/mov: do not allocate out-of-range buffers

Browse source 
There's a possibility here with a well-crafted MP4 file containing only
the nested boxes in order: MOOV.TRAK.MDIA.MINF.STBL.SDTP where the
header size uses the 64 bit large size, and the ending stdp box has some
size value >= 0x100000014.

On a 32 bit build of ffmpeg, av_malloc's size parameter drops the high
order bits of `entries`, and and the allocation is now a controlled size
that is significantly smaller than `entries`. The following loop will
then write off the ended of allocated memory with data that follows the
box fourcc.

(cherry picked from commit 86f53f9ffb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Ted Meyer 2026-03-05 17:33:36 -08:00 committed by Michael Niedermayer
parent 503ecaa13d
commit 42587e62bb
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
libavformat/mov.c
View file

@ -3288,6 +3288,9 @@ static int mov_read_sdtp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
av_freep(&sc->sdtp_data);
sc->sdtp_count = 0;
if (entries < 0 || entries > SIZE_MAX)
return AVERROR(ERANGE);
sc->sdtp_data = av_malloc(entries);
if (!sc->sdtp_data)
return AVERROR(ENOMEM);