diff mbox series

[FFmpeg-devel,2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

Message ID 20240320021926.3759-2-michael@niedermayer.cc
State Accepted
Commit 3c43299e9e642e73b31be7ac7c49700949946e13
Headers show
Series [FFmpeg-devel,1/3] avformat/wady: Check >0 samplerate and channels 1 || 2. | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer March 20, 2024, 2:19 a.m. UTC 
This combination causes 0 size arrays to be allocated and to leak later

Fixes: memleak
Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8d1135270c..f954b924a0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6994,6 +6994,9 @@  static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     sample_count = avio_rb32(pb);
 
     if (encryption_index->auxiliary_info_default_size == 0) {
+        if (sample_count == 0)
+            return AVERROR_INVALIDDATA;
+
         encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
         if (!encryption_index->auxiliary_info_sizes)
             return AVERROR(ENOMEM);