This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit e954e4632bc08450c86b8315b9485595fe84067d Author: Ted Meyer <[email protected]> AuthorDate: Wed Apr 22 13:40:53 2026 -0700 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:11 2026 +0200 avformat/mov: Check read size for opus extradata in mov_read_dops, `size` bytes is allocated for `st->codecpar->extradata`, but ff_alloc_extradata doesn't memset, so the contents of that buffer are just old heap data. If `avio_read` reads fewer bytes than were requested, uninitialized data can still be left in the extradata buffer, which is operated on by AV_WL16A and AV_WL32A. I think the best solution here is to just check the read size and ensure it's filling the extradata buffer in it's entirety, or erroring out if there isn't enough data left. (cherry picked from commit 53cd2c9f2a3db437ed8d33df5a2681007040f39d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0a83ec3116..e224d44e1a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6863,7 +6863,11 @@ static int mov_read_dops(MOVContext *c, AVIOContext *pb, MOVAtom atom) AV_WL32(st->codecpar->extradata, MKTAG('O','p','u','s')); AV_WL32(st->codecpar->extradata + 4, MKTAG('H','e','a','d')); AV_WB8(st->codecpar->extradata + 8, 1); /* OpusHead version */ - avio_read(pb, st->codecpar->extradata + 9, size - 9); + if ((ret = ffio_read_size(pb, st->codecpar->extradata + 9, size - 9)) < 0) { + av_freep(&st->codecpar->extradata); + st->codecpar->extradata_size = 0; + return ret; + } /* OpusSpecificBox is stored in big-endian, but OpusHead is little-endian; aside from the preceeding magic and version they're _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
