This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 89d9ad03455726e67730557c2172a81ed87f14e5 Author: Omkhar Arasaratnam <[email protected]> AuthorDate: Thu May 21 00:00:00 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:41:00 2026 +0200 avformat/mov: cap HEIF ICC profile copies via c*max_streams to bound CPU and memory Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> (cherry picked from commit 711cdae64f572ad2cb2ae879d33ac63f828e6e08) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/isom.h | 1 + libavformat/mov.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index d7e138585a..c7264defb6 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -386,6 +386,7 @@ typedef struct MOVContext { int64_t idat_offset; int interleaved_read; AVDictionary* decryption_keys; + unsigned heif_icc_profile_items; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 66318cf7fe..9a715bb23f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2139,6 +2139,12 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); icc_profile = sd->data; } else { + if (c->heif_icc_profile_items >= c->fc->max_streams) { + av_log(c->fc, AV_LOG_WARNING, + "HEIF ICC profile copies exceed cap %d; ignoring further items\n", + c->fc->max_streams); + return 0; + } av_freep(&item->icc_profile); icc_profile = item->icc_profile = av_malloc(atom.size - 4); if (!icc_profile) { @@ -2146,6 +2152,7 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); } item->icc_profile_size = atom.size - 4; + c->heif_icc_profile_items++; } ret = ffio_read_size(pb, icc_profile, atom.size - 4); if (ret < 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
