Re: [FFmpeg-devel] [PATCH] avformat/mov: perform sanity checks for heif before index building

Wed, 08 Jan 2025 15:14:26 -0800 

On Wed, Jan 08, 2025 at 06:05:16PM -0300, James Almer wrote:
> On 1/8/2025 5:31 PM, Michael Niedermayer wrote:
> > Fixes: undefined NULL pointer use
> > Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
> > 
> > This performs equivalent sanity checks as are done in mov_read_trak()
> > before mov_build_index()
> > 
> > Reported-by: Dale Curtis <dalecur...@chromium.org>
> > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> > ---
> >   libavformat/mov.c | 4 ++++
> >   1 file changed, 4 insertions(+)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 56f732bfcfb..33823b98b2f 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -10411,6 +10411,10 @@ static int mov_parse_heif_items(AVFormatContext *s)
> >           if (sc->sample_count != 1 || sc->chunk_count != 1)
> >               return AVERROR_INVALIDDATA;
> > +            /* sanity checks */
> > +        if (!sc->stts_count || !sc->stsc_count)
> > +            return AVERROR_INVALIDDATA;
> > +
> >           sc->sample_sizes[0]  = item->extent_length;
> >           sc->chunk_offsets[0] = item->extent_offset + offset;
> 
> Ok, so the issue is a rogue stts atom showing up after the item stream was
> allocated.
> 
> Do you think copying the thorough checks from mov_read_trak() may be safer
> than simply looking for count values to not be 0?
> Like so:

i had copied that then simplified it and these 2 checks is what remains after
removing impossible cases. but if you replace sample_count and chunk_count
checks. sure the whole could be reused.

ill post a patch that does this in a  factored out function ((avoid duplicating
it as its identical more or less)

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to