[FFmpeg-devel] [PR] avformat/mov: Fix multiple issues related to mov_read_iref_dimg() (PR #22373)

Tue, 03 Mar 2026 16:44:28 -0800 

PR #22373 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22373
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22373.patch

forward errors so that half initialized state is not used
clear pointers that might not be set

Fixes: freeing uninitialized pointers
Fixes: 
487160965/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6525162874011648

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>


>From baf5baae7a3356392bf997ab355c225e9d8c55ca Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Wed, 4 Mar 2026 00:06:19 +0100
Subject: [PATCH] avformat/mov: Fix multiple issues related to
 mov_read_iref_dimg()

forward errors so that half initialized state is not used
clear pointers that might not be set

Fixes: freeing uninitialized pointers
Fixes: 
487160965/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6525162874011648

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/mov.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 396a559fa4..a69ae316ed 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -9204,9 +9204,10 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext 
*pb, int version)
         return AVERROR(ENOMEM);
     c->heif_grid = grid;
     grid = &grid[c->nb_heif_grid++];
+    memset(grid, 0, sizeof(*grid));
 
     entries = avio_rb16(pb);
-    grid->tile_id_list = av_malloc_array(entries, sizeof(*grid->tile_id_list));
+    grid->tile_id_list = av_calloc(entries, sizeof(*grid->tile_id_list));
     grid->tile_idx_list = av_calloc(entries, sizeof(*grid->tile_idx_list));
     grid->tile_item_list = av_calloc(entries, sizeof(*grid->tile_item_list));
     if (!grid->tile_id_list || !grid->tile_item_list || !grid->tile_idx_list)
@@ -9288,7 +9289,9 @@ static int mov_read_iref(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
         type = avio_rl32(pb);
         switch (type) {
         case MKTAG('d','i','m','g'):
-            mov_read_iref_dimg(c, pb, version);
+           ;int ret = mov_read_iref_dimg(c, pb, version);
+            if (ret < 0)
+                return ret;
             break;
         case MKTAG('c','d','s','c'):
         case MKTAG('t','h','m','b'):
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to