PR #21641 opened by Ted Meyer (usepgp) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21641 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21641.patch
`sc->stsd_count` can exceed `entries` if in ff_mov_read_stsd_entries there are multiple skipped stsd blocks. In this case, the `stsd_count` can get incremented too far, and when failure occurs, an OOB free happens. >From 0eb0d70175402e987a03f93ffe1191aa77f81ba6 Mon Sep 17 00:00:00 2001 From: Ted Meyer <[email protected]> Date: Tue, 3 Feb 2026 16:31:50 -0800 Subject: [PATCH] Fix out-of-bounds av_freep call in stsd parser `sc->stsd_count` can exceed `entries` if in ff_mov_read_stsd_entries there are multiple skipped stsd blocks. In this case, the `stsd_count` can get incremented too far, and when failure occurs, an OOB free happens. --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d19b213ffa..4deb76d37c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3254,7 +3254,7 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) fail: if (sc->extradata) { int j; - for (j = 0; j < sc->stsd_count; j++) + for (j = 0; j < entries; j++) av_freep(&sc->extradata[j]); } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
