This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 343938f1828034da6ed6af1ad0ad6f78c23b0b18 Author: James Almer <[email protected]> AuthorDate: Wed Mar 4 00:06:19 2026 +0100 Commit: James Almer <[email protected]> CommitDate: Thu Mar 5 23:21:21 2026 -0300 avformat/mov: Fix multiple issues related to mov_read_iref_dimg() forward errors and cleanup in teh failure cases Fixes: freeing uninitialized pointers Fixes: 487160965/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6525162874011648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit f10c0ae276d2907d243351c8f1167f9c26f350a0) --- libavformat/mov.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 54fe8515d8..6da60ac298 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9056,6 +9056,7 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) HEIFGrid *grid; int entries, i; int from_item_id = version ? avio_rb32(pb) : avio_rb16(pb); + int ret = 0; for (int i = 0; i < c->nb_heif_grid; i++) { if (c->heif_grid[i].item->item_id == from_item_id) { @@ -9090,29 +9091,40 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) if (!grid) return AVERROR(ENOMEM); c->heif_grid = grid; - grid = &grid[c->nb_heif_grid++]; + grid = &grid[c->nb_heif_grid]; entries = avio_rb16(pb); grid->tile_id_list = av_malloc_array(entries, sizeof(*grid->tile_id_list)); grid->tile_idx_list = av_calloc(entries, sizeof(*grid->tile_idx_list)); grid->tile_item_list = av_calloc(entries, sizeof(*grid->tile_item_list)); - if (!grid->tile_id_list || !grid->tile_item_list || !grid->tile_idx_list) - return AVERROR(ENOMEM); + if (!grid->tile_id_list || !grid->tile_item_list || !grid->tile_idx_list) { + ret = AVERROR(ENOMEM); + goto fail; + } /* 'to' item ids */ for (i = 0; i < entries; i++) { grid->tile_id_list[i] = version ? avio_rb32(pb) : avio_rb16(pb); - if (avio_feof(pb)) - return AVERROR_INVALIDDATA; + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } grid->nb_tiles = entries; grid->item = item; + ++c->nb_heif_grid; av_log(c->fc, AV_LOG_TRACE, "dimg: from_item_id %d, entries %d\n", from_item_id, entries); return 0; +fail: + av_freep(&grid->tile_id_list); + av_freep(&grid->tile_idx_list); + av_freep(&grid->tile_item_list); + + return ret; } static int mov_read_iref_thmb(MOVContext *c, AVIOContext *pb, int version) @@ -9174,8 +9186,12 @@ static int mov_read_iref(MOVContext *c, AVIOContext *pb, MOVAtom atom) type = avio_rl32(pb); switch (type) { case MKTAG('d','i','m','g'): - mov_read_iref_dimg(c, pb, version); + { + int ret = mov_read_iref_dimg(c, pb, version); + if (ret < 0) + return ret; break; + } case MKTAG('t','h','m','b'): mov_read_iref_thmb(c, pb, version); break; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
