This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit f13f71d9c12fba3df2b30c8807169b59ade1f0ba Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 15:57:26 2026 +0200 avformat/mov: reject dimg references with zero entries Reject dimg entries with a zero reference count in mov_read_iref_dimg(). This is the earliest point where the parser learns how many input images a derived HEIF item references, so it is the right place to enforce the invariant. If entries == 0 is accepted here, the value is stored in HEIFGrid.nb_tiles, later propagated by read_image_iovl() into AVStreamGroupTileGrid.nb_tiles, and finally consumed in istg_parse_tile_grid(), which assumes at least one tile and reads tg->offsets[tg->nb_tiles - 1]. With zero tiles, that assumption breaks and leads to the out-of-bounds access seen in ASan. Fixing the problem at the parser boundary is preferable to adding a later workaround because it prevents creation of an invalid derived-image state and stops that malformed state from reaching downstream consumers. This is also consistent with the HEIF specification. Both iovl and grid derived images are formed from one or more input images, and for grid the dimg reference count must equal rows * columns; since rows and columns are encoded as *_minus_one + 1, that count cannot be zero. A zero dimg entry count is therefore invalid input and should be rejected when parsed. (cherry picked from commit 68ea660d83f27c1f45be12af21e30858d3a2cbeb) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8db14bd8fe..921ea8db3a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8883,6 +8883,13 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) return AVERROR_INVALIDDATA; } + entries = avio_rb16(pb); + if (!entries) { + av_log(c->fc, AV_LOG_ERROR, + "Derived image item references no input images\n"); + return AVERROR_INVALIDDATA; + } + grid = av_realloc_array(c->heif_grid, c->nb_heif_grid + 1U, sizeof(*c->heif_grid)); if (!grid) @@ -8890,7 +8897,6 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) c->heif_grid = grid; grid = &grid[c->nb_heif_grid]; - entries = avio_rb16(pb); grid->tile_id_list = av_malloc_array(entries, sizeof(*grid->tile_id_list)); grid->tile_item_list = av_calloc(entries, sizeof(*grid->tile_item_list)); if (!grid->tile_id_list || !grid->tile_item_list) { _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
