This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new c7e0bac050 avformat/matroskadec: bound TRACKENTRY parsing by
max_streams
c7e0bac050 is described below
commit c7e0bac050a672a220ed8ee6dbdc25abfb3336a8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri May 29 17:56:22 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Fri Jun 5 01:11:11 2026 +0000
avformat/matroskadec: bound TRACKENTRY parsing by max_streams
After the fix the reproducer finishes in 43 ms instead of OOM-ing at the
2 GB limit. Legitimate .mkv/.webm fate samples still parse cleanly.
Fixes:
471604245/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6662979358883840
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavformat/matroskadec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 6570584bab..965674bc3b 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1339,6 +1339,13 @@ static int ebml_parse(MatroskaDemuxContext *matroska,
if ((unsigned)list->nb_elem + 1 >= UINT_MAX /
syntax->list_elem_size)
return AVERROR(ENOMEM);
+ if (syntax->id == MATROSKA_ID_TRACKENTRY &&
+ list->nb_elem >= matroska->ctx->max_streams) {
+ av_log(matroska->ctx, AV_LOG_ERROR,
+ "Number of tracks exceeds max_streams (%d)\n",
+ matroska->ctx->max_streams);
+ return AVERROR(EINVAL);
+ }
newelem = av_fast_realloc(list->elem,
&list->alloc_elem_size,
(list->nb_elem + 1) *
syntax->list_elem_size);
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
