[FFmpeg-cvslog] [ffmpeg] avformat/mov: cap HEIF ICC profile copies via c*max_streams to bound CPU and memory (branch master)

Tue, 02 Jun 2026 13:55:43 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 711cdae64f avformat/mov: cap HEIF ICC profile copies via c*max_streams 
to bound CPU and memory
711cdae64f is described below

commit 711cdae64f572ad2cb2ae879d33ac63f828e6e08
Author:     Omkhar Arasaratnam <[email protected]>
AuthorDate: Thu May 21 00:00:00 2026 +0000
Commit:     michaelni <[email protected]>
CommitDate: Tue Jun 2 20:55:14 2026 +0000

    avformat/mov: cap HEIF ICC profile copies via c*max_streams to bound CPU 
and memory
    
    Found-by: Claude (Anthropic). Human-verified and reported by
    Omkhar Arasaratnam <[email protected]>.
    Signed-off-by: Omkhar Arasaratnam <[email protected]>
---
 libavformat/isom.h | 1 +
 libavformat/mov.c  | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/libavformat/isom.h b/libavformat/isom.h
index 9b5437fb16..4e7f22b338 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -391,6 +391,7 @@ typedef struct MOVContext {
     int64_t idat_offset;
     int interleaved_read;
     AVDictionary* decryption_keys;
+    unsigned heif_icc_profile_items;
 } MOVContext;
 
 int ff_mp4_read_descr_len(AVIOContext *pb);
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8eb67aaadf..436ca415c2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2146,6 +2146,12 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
                 return AVERROR(ENOMEM);
             icc_profile = sd->data;
         } else {
+            if (c->heif_icc_profile_items >= c->fc->max_streams) {
+                av_log(c->fc, AV_LOG_WARNING,
+                       "HEIF ICC profile copies exceed cap %d; ignoring 
further items\n",
+                       c->fc->max_streams);
+                return 0;
+            }
             av_freep(&item->icc_profile);
             icc_profile = item->icc_profile = av_malloc(atom.size - 4);
             if (!icc_profile) {
@@ -2153,6 +2159,7 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
                 return AVERROR(ENOMEM);
             }
             item->icc_profile_size = atom.size - 4;
+            c->heif_icc_profile_items++;
         }
         ret = ffio_read_size(pb, icc_profile, atom.size - 4);
         if (ret < 0)

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to