This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 1f217b4b7dbfe16da99d03dee81b6eba3fe023d3 Author: Ted Meyer <[email protected]> AuthorDate: Thu Mar 5 17:33:36 2026 -0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Mar 15 00:49:56 2026 +0100 avformat/mov: do not allocate out-of-range buffers There's a possibility here with a well-crafted MP4 file containing only the nested boxes in order: MOOV.TRAK.MDIA.MINF.STBL.SDTP where the header size uses the 64 bit large size, and the ending stdp box has some size value >= 0x100000014. On a 32 bit build of ffmpeg, av_malloc's size parameter drops the high order bits of `entries`, and and the allocation is now a controlled size that is significantly smaller than `entries`. The following loop will then write off the ended of allocated memory with data that follows the box fourcc. (cherry picked from commit 86f53f9ffb779524085ead799b57da87c0c1cf7f) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9b7df252b2..f026c0fb4c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3697,6 +3697,9 @@ static int mov_read_sdtp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_freep(&sc->sdtp_data); sc->sdtp_count = 0; + if (entries < 0 || entries > SIZE_MAX) + return AVERROR(ERANGE); + sc->sdtp_data = av_malloc(entries); if (!sc->sdtp_data) return AVERROR(ENOMEM); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
