virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00
Code Issues Releases Activity

avformat/mov: ensure all items id referenced by a grid are valid

Browse Source 
Fixes: null pointer dereference
Fixes: 67494/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6528714521247744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
This commit is contained in:
James Almer 2024-04-01 21:13:04 -03:00
parent a8e518e3a7
commit f492f1ac23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/mov.c
View File

@ -9397,8 +9397,9 @@ static int mov_parse_tiles(AVFormatContext *s)
for (int j = 0; j < grid->nb_tiles; j++) { for (int j = 0; j < grid->nb_tiles; j++) {
int tile_id = grid->tile_id_list[j]; int tile_id = grid->tile_id_list[j];
int k;
for (int k = 0; k < mov->nb_heif_item; k++) { for (k = 0; k < mov->nb_heif_item; k++) {
HEIFItem *item = &mov->heif_item[k]; HEIFItem *item = &mov->heif_item[k];
AVStream *st = item->st; AVStream *st = item->st;
@ -9424,6 +9425,13 @@ static int mov_parse_tiles(AVFormatContext *s)
break; break;
} }
if (k == grid->nb_tiles) {
av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't "
"exist\n",
tile_id, grid->item->item_id);
ff_remove_stream_group(s, stg);
loop = 0;
}
if (!loop) if (!loop)
break; break;
} }