PR #22412 opened by Ted Meyer (usepgp) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22412 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22412.patch
There's a possibility here with a well-crafted MP4 file containing only the nested boxes in order: MOOV.TRAK.MDIA.MINF.STBL.SDTP where the header size uses the 64 bit large size, and the ending stdp box has some size value >= 0x100000014. On a 32 bit build of ffmpeg, av_malloc's size parameter drops the high order bits of `entries`, and and the allocation is now a controlled size that is significantly smaller than `entries`. The following loop will then write off the ended of allocated memory with data that follows the box fourcc. >From 79c30889a9d0c1d3326d6966d417f885410ae69c Mon Sep 17 00:00:00 2001 From: Ted Meyer <[email protected]> Date: Thu, 5 Mar 2026 17:33:36 -0800 Subject: [PATCH] Fail to allocate large or negative buffers There's a possibility here with a well-crafted MP4 file containing only the nested boxes in order: MOOV.TRAK.MDIA.MINF.STBL.SDTP where the header size uses the 64 bit large size, and the ending stdp box has some size value >= 0x100000014. On a 32 bit build of ffmpeg, av_malloc's size parameter drops the high order bits of `entries`, and and the allocation is now a controlled size that is significantly smaller than `entries`. The following loop will then write off the ended of allocated memory with data that follows the box fourcc. --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1ae281440e..027f099a2c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3697,6 +3697,9 @@ static int mov_read_sdtp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_freep(&sc->sdtp_data); sc->sdtp_count = 0; + if (entries < 0 || entries > SIZE_MAX) + return AVERROR(ERANGE); + sc->sdtp_data = av_malloc(entries); if (!sc->sdtp_data) return AVERROR(ENOMEM); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
