PR #21504 opened by rcx86 URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504.patch
Add validation to check that atom.size is sufficient to hold the declared entry count before allocating memory. This prevents a denial of service where a malicious file with a large entries value (e.g., 500 million) in a truncated stsz/stz2 atom could trigger a multi-gigabyte memory allocation from a small file. The check computes the expected data size as (entries * field_size + 4) >> 3 and verifies that atom.size can accommodate this plus the 12-byte header. >From 2430ee674b206489fae82d2a72f387c6889ab815 Mon Sep 17 00:00:00 2001 From: HACKE-RC <[email protected]> Date: Sun, 18 Jan 2026 12:03:59 +0530 Subject: [PATCH] avformat/mov: validate stsz/stz2 atom size before allocation Add validation to check that atom.size is sufficient to hold the declared entry count before allocating memory. This prevents a denial of service where a malicious file with a large entries value (e.g., 500 million) in a truncated stsz/stz2 atom could trigger a multi-gigabyte memory allocation from a small file. The check computes the expected data size as (entries * field_size + 4) >> 3 and verifies that atom.size can accommodate this plus the 12-byte header. --- libavformat/mov.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 009ddfec80..8291663bd3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3510,6 +3510,15 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size) return AVERROR_INVALIDDATA; + + /* Validate that atom size can hold the declared number of entries. + * The atom header is 12 bytes: 4 (version+flags) + 4 (sample_size or + * reserved+field_size) + 4 (entries). Data payload is (entries * field_size + * + 4) >> 3 bytes, rounded up to byte boundary. */ + num_bytes = (entries * field_size + 4) >> 3; + if ((uint64_t)num_bytes + 12 > atom.size) + return AVERROR_INVALIDDATA; + if (sc->sample_sizes) av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n"); av_free(sc->sample_sizes); @@ -3518,8 +3527,6 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!sc->sample_sizes) return AVERROR(ENOMEM); - num_bytes = (entries*field_size+4)>>3; - buf = av_malloc(num_bytes+AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { av_freep(&sc->sample_sizes); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
