* [FFmpeg-devel] [PR] avformat/mov: validate stsz/stz2 atom size before allocation (PR #21504)
@ 2026-01-18 6:52 rcx86 via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: rcx86 via ffmpeg-devel @ 2026-01-18 6:52 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: rcx86
PR #21504 opened by rcx86
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21504.patch
Add validation to check that atom.size is sufficient to hold the
declared entry count before allocating memory. This prevents a
denial of service where a malicious file with a large entries value
(e.g., 500 million) in a truncated stsz/stz2 atom could trigger a
multi-gigabyte memory allocation from a small file.
The check computes the expected data size as
(entries * field_size + 4) >> 3 and verifies that atom.size can
accommodate this plus the 12-byte header.
>From 2430ee674b206489fae82d2a72f387c6889ab815 Mon Sep 17 00:00:00 2001
From: HACKE-RC <60568652+HACKE-RC@users.noreply.github.com>
Date: Sun, 18 Jan 2026 12:03:59 +0530
Subject: [PATCH] avformat/mov: validate stsz/stz2 atom size before allocation
Add validation to check that atom.size is sufficient to hold the
declared entry count before allocating memory. This prevents a
denial of service where a malicious file with a large entries value
(e.g., 500 million) in a truncated stsz/stz2 atom could trigger a
multi-gigabyte memory allocation from a small file.
The check computes the expected data size as
(entries * field_size + 4) >> 3 and verifies that atom.size can
accommodate this plus the 12-byte header.
---
libavformat/mov.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 009ddfec80..8291663bd3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3510,6 +3510,15 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return 0;
if (entries >= (INT_MAX - 4 - 8 * AV_INPUT_BUFFER_PADDING_SIZE) / field_size)
return AVERROR_INVALIDDATA;
+
+ /* Validate that atom size can hold the declared number of entries.
+ * The atom header is 12 bytes: 4 (version+flags) + 4 (sample_size or
+ * reserved+field_size) + 4 (entries). Data payload is (entries * field_size
+ * + 4) >> 3 bytes, rounded up to byte boundary. */
+ num_bytes = (entries * field_size + 4) >> 3;
+ if ((uint64_t)num_bytes + 12 > atom.size)
+ return AVERROR_INVALIDDATA;
+
if (sc->sample_sizes)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STSZ atom\n");
av_free(sc->sample_sizes);
@@ -3518,8 +3527,6 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (!sc->sample_sizes)
return AVERROR(ENOMEM);
- num_bytes = (entries*field_size+4)>>3;
-
buf = av_malloc(num_bytes+AV_INPUT_BUFFER_PADDING_SIZE);
if (!buf) {
av_freep(&sc->sample_sizes);
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-18 6:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-18 6:52 [FFmpeg-devel] [PR] avformat/mov: validate stsz/stz2 atom size before allocation (PR #21504) rcx86 via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git