From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 30B204005D
	for <ffmpegdev@gitmailbox.com>; Sun, 18 Jan 2026 06:52:58 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'zhCa7AcTer9rS1d/8bi2kaFaWMDqyHpozlvHnn1cxew=', expected 
   b'4pRw0sY5h8VVugaO8Qd/k707OnmeprRoV0Ce3ssN9k4=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768719161; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=zhCa7AcTer9rS1d/8bi2kaFaWMDqyHpozlvHnn1cxew=;
 b=cIFmJGmBP/WCufkfK3BhcqJlQc3xn26v3RcbCLuXq+adAi8PFpfJE4IgyKe5tHcl/AiN+
 VurdsLgGQXfKd+Vp8c1fA5+TtgpnPfZjleTHMiZE5uYq7Eo9Nf/H1erNT/xcO2V/aZ5hS7b
 Bg3DZ0RzKhMMbBcWOUkYA0qH5ku23tn9CEKB1O3SkAnZrNzyhLVj96mjEmGUuuid260f7Zq
 q8PsvHLa83zSfNkKqSkWCPloQ2zdQT+QMdntF1pOkOKGNn87yLduoqk2RaJ9wUdyqwaolrM
 BlftIzYqZ+ZlOKVjxEW9uL6Bee1E2ZhcmjCcfSVPD/7IIsrsSKkJW6LppSQw==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 58EE9690E2B;
	Sun, 18 Jan 2026 08:52:41 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768719143;
 b=VkslV3Xb8R1aQWOLFKtJBYnt1kSvwBv4LvS02omb+2cnC6IHcwCPHvkRnmj6irW8lUocS
 pFUasve13KCQ3f14FNIXR94GueQ3xw72/+NdNYjvCp74nK7qytxHQ45oItD28fPtyqfPdhg
 KXROF5bz7qzivCo44uz88VgVVSanyp8IJP75ZFSCWUVyth2ctgqCaq6FbiP7qi+j5gOos1r
 oOhN6gZ5TRrsHu3gB1panh7Ggh6MkjYkgUQ6lgIl4/D5OusQFGod8tciwnEiVOt2ESo2PXV
 OlTPM+kgMj3c6ouwnp0Thrdoc7hWFF66AqiyXtU83/dtVbGGw6IANrS1eADA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1768719143; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=m+y/00bR9jzDqF23RM9aBQZnmkQzRTBSRu0cAYqf6ps=;
 b=kzKBnO2koyM2IP5h352TVSUQ4rld0Qo79vqiDQGv/7EA5EAle7zIYA1mboz3Imzd2SivG
 Ha6cy3FPF3B6Lw7co0bMp7TksleeYRL/9hOnyzmnMnRaIs4j+wfqsetFBmdJkzABbxdFC3S
 Fbhv0KMyxjUBjdHZmxQ4O1Q3KKUfkG73BQ6ZyGSs7P/uB0e/XXAJlBRByIGA6VtSABv1YRo
 LD3AJXm/rL9SJAl5hVMdzG9DACLO1t0DjGC49/HT02z/T321hwjqlzXh9q7TOA32K3D4Rkd
 kgwO1ivzoYt4HIW0d2ZNWtyF5f0YdNAiCkbArdPA+19YLK2uR97wr07CC2ng==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768719132; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=4pRw0sY5h8VVugaO8Qd/k707OnmeprRoV0Ce3ssN9k4=;
 b=y0xvKe8m0Auqb29KBES3Fm8tKHrWS+wavYZ7xvXfGhpQ0nSOHWviv1udk40WOntiympy0
 XRFzWvDc9DrtuPT0lt88fYGT+RDFrEtz9zTr4xJ9bQhHjSCNWVGdh1JABrUSrKQn/LCcqvm
 qYLYiuhz6LrSt0XkVgjdc5WMKG/TaaHNLzm6DzLRKIGI18O2e8GYujaOz0fhkz64YQDSkWr
 S1dM0ukdH0XKNCcb/E8u4gxXHEaJtiocH7pGWaTZMG2ZxBHrRDbHXbVJm4s4ua+Fi8ANZKX
 1X7qWMlONvRsRQYr16wPYihOh9vy9+mILlzwCOcHCmOrMD3ZrDIqaToFnVaQ==
Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 5B04C690DE6
	for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Jan 2026 08:52:12 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 18 Jan 2026 06:52:11 -0000
Message-ID: <176871913255.25.16684639753412169507@4457048688e7>
Message-ID-Hash: B3ULAGXRDWXWJC2CWY2I3LS6YACIAZQR
X-Message-ID-Hash: B3ULAGXRDWXWJC2CWY2I3LS6YACIAZQR
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat/mov: validate stsz/stz2 atom size before
 allocation (PR #21504)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/B3ULAGXRDWXWJC2CWY2I3LS6YACIAZQR/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176871913255.25.16684639753412169507@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: rcx86 via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: rcx86 <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176871913255.25.16684639753412169507@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21504 opened by rcx86
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504.patch

Add validation to check that atom.size is sufficient to hold the
declared entry count before allocating memory. This prevents a
denial of service where a malicious file with a large entries value
(e.g., 500 million) in a truncated stsz/stz2 atom could trigger a
multi-gigabyte memory allocation from a small file.

The check computes the expected data size as
(entries * field_size + 4) >> 3 and verifies that atom.size can
accommodate this plus the 12-byte header.


>>From 2430ee674b206489fae82d2a72f387c6889ab815 Mon Sep 17 00:00:00 2001
From: HACKE-RC <60568652+HACKE-RC@users.noreply.github.com>
Date: Sun, 18 Jan 2026 12:03:59 +0530
Subject: [PATCH] avformat/mov: validate stsz/stz2 atom size before allocation

Add validation to check that atom.size is sufficient to hold the
declared entry count before allocating memory. This prevents a
denial of service where a malicious file with a large entries value
(e.g., 500 million) in a truncated stsz/stz2 atom could trigger a
multi-gigabyte memory allocation from a small file.

The check computes the expected data size as
(entries * field_size + 4) >> 3 and verifies that atom.size can
accommodate this plus the 12-byte header.
---
 libavformat/mov.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 009ddfec80..8291663bd3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3510,6 +3510,15 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         return 0;
     if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
         return AVERROR_INVALIDDATA;
+
+    /* Validate that atom size can hold the declared number of entries.
+     * The atom header is 12 bytes: 4 (version+flags) + 4 (sample_size or
+     * reserved+field_size) + 4 (entries). Data payload is (entries * field_size
+     * + 4) >> 3 bytes, rounded up to byte boundary. */
+    num_bytes = (entries * field_size + 4) >> 3;
+    if ((uint64_t)num_bytes + 12 > atom.size)
+        return AVERROR_INVALIDDATA;
+
     if (sc->sample_sizes)
         av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");
     av_free(sc->sample_sizes);
@@ -3518,8 +3527,6 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (!sc->sample_sizes)
         return AVERROR(ENOMEM);
 
-    num_bytes = (entries*field_size+4)>>3;
-
     buf = av_malloc(num_bytes+AV_INPUT_BUFFER_PADDING_SIZE);
     if (!buf) {
         av_freep(&sc->sample_sizes);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org