Re: [FFmpeg-devel] [PATCH] avformat/mov: perform sanity checks for heif before index building

[James Almer]

On 1/8/2025 5:31 PM, Michael Niedermayer wrote:

Fixes: undefined NULL pointer use
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632

This performs equivalent sanity checks as are done in mov_read_trak()
before mov_build_index()

Reported-by: Dale Curtis <dalecur...@chromium.org>
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
  libavformat/mov.c | 4 ++++
  1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 56f732bfcfb..33823b98b2f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10411,6 +10411,10 @@ static int mov_parse_heif_items(AVFormatContext *s)
          if (sc->sample_count != 1 || sc->chunk_count != 1)
              return AVERROR_INVALIDDATA;

+        if (!sc->stts_count || !sc->stsc_count)
+            return AVERROR_INVALIDDATA;
+
          sc->sample_sizes[0]  = item->extent_length;
          sc->chunk_offsets[0] = item->extent_offset + offset;

+ /* sanity checks */

Like so:

Ok, so the issue is a rogue stts atom showing up after the item stream was allocated. Do you think copying the thorough checks from mov_read_trak() may be safer than simply looking for count values to not be 0?

diff --git a/libavformat/mov.c b/libavformat/mov.c
index a881acf99d..e56a66e1b7 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10406,8 +10406,15 @@ static int mov_parse_heif_items(AVFormatContext *s)
         st->codecpar->width  = item->width;
         st->codecpar->height = item->height;

-        if (sc->sample_count != 1 || sc->chunk_count != 1)
+        /* sanity checks */
+        if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
+                                (!sc->sample_size && !sc->sample_count))) ||
+            (!sc->chunk_count && sc->sample_count) ||
+            (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > 
sc->chunk_count)) {
+            av_log(s, AV_LOG_ERROR, "HEIF item id %d has a broken header\n",
+                   item->item_id);
             return AVERROR_INVALIDDATA;
+        }

         sc->sample_sizes[0]  = item->extent_length;
         sc->chunk_offsets[0] = item->extent_offset + offset;

OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".