From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id E4FEB4DC53
	for <ffmpegdev@gitmailbox.com>; Wed,  4 Feb 2026 00:40:27 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'HQpeXCemFiE6UYURm3fO4bgdAJ6sF5oJqNugGhj05/I=', expected 
   b'gwFX2hJfHKcGympHvStjC8Ay0sKkYKcCNMmLAXEo2Y0=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1770165617; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=HQpeXCemFiE6UYURm3fO4bgdAJ6sF5oJqNugGhj05/I=;
 b=c63ydv9gERjporZQweQ8D/7RNqYFa/UZrmlFqBiSrn/WMMnt7vcyFjNbn7eHp40h+m2OT
 aQWtkQS0VBvtsOvuJ/nIwDiR4Gi590y8mUQXLaqnDUjNBVLTB3k5PZCAQ3Chu8wbi1wKB+e
 Q//1GvL8ajAngJc9n/oxXg/l5V+A/ZUPcgDGXBI2RlmnyZmm4ERShiF5rNVS01f7WfJj396
 lxkL/S3DSuxPUIpnZblpjW9/SKuIwm3jgvC250tskBGuC6RUf7ne01UvMnBLr4aEP1ycEhv
 VDIz7EsGhXV+o8p6RKqc/BdhdKSPWOBcH3psIfPqk8JGFkAZ7OJN83IXbABg==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 7059F690FF2;
	Wed,  4 Feb 2026 02:40:17 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770165601;
 b=ozwNlez7xAoh08A1b9hBHHsW3JNXOaZJIcuWdh6YPaCC+jt9VpNZPJAai9TW7JycJ3IDt
 hO2yABTHfiAC8Ic79qcPdBXrsPggBr4JFpQGnZyEtY7MDEKjpzSF4cCx2pq6PMR3Sad5j0u
 KmFvTs5q4UpOIThDkAFtHfcT7Clh3t99khuxePiR3fi+3jww42T+AC1DIjHQEtRYhKLw9nh
 3F6y7Aq/rj0vU2mOSVJtbOaebQckrtt+p8Nf4h8JBZtwtRSUc8+bfWxEOe3+ERdpEWIb/Lq
 2764+J2uAF1AYoStTjPcAQnx4bow7CcCjsEi+s4YZSlnWvf4cq0eOpdtAEGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1770165601; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=bnuD5WDnBvUpe7ZfpKX03pyEcWjssxCpPRrOYXgfI/E=;
 b=OJv9G/D0nKOR9N9eStZ/SsYH14gipIyYJnY/hhpEZzl7rpFyFcsKpgU50nHZu6eu9DlA6
 bf0i5UT1oFXAuynPIeSxGPO9vc+HBuKFwaUNmRMMYdhHFNQ4jZ/EcUt6MER5r4myQk7qDe6
 vWTkJciJTUowS4C1hGcNK2prpmWDTnipodyyRePFBpmO+Ea+gJqNi98Lub7rHL6WeKza0IB
 0Gyhm6DcGWNcEpsJR8CWb1Viw7aI5jxcu4BkR7Mo8jGqV1XTgDcvMnRyYZU8sTXczfp7Hte
 q3ioGh4D4T2b2gQ9edOqVfgNUJY01sw55wdspUj3F4M2NM8Bi85cighLyfxg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1770165591; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=gwFX2hJfHKcGympHvStjC8Ay0sKkYKcCNMmLAXEo2Y0=;
 b=JlJj0OEW0fyUUJ3I03504+ieIeD1vnbM1thYk8efL0hFSCDOBl9jGOT0NrLRevRSWi7RE
 vt88AONJo1M9Od4KxafwrDzgiirbtC+PtsdEQxUJ2J4U9qwua3yD2XkJJslHdORHaFaldfj
 jG4KSkvTWuqPYFoaR/Gu5MTfEB9+sVfyXCGxXfBGKEFimN2vkqXh640fQit6o7xFqAPmjaw
 gJl20KsVtghvZAyw/HqEOY2UWzt8M8pxLCplxI/tGY4ySrlIwBg4cBB20k+3HcX1MUkXYbl
 FmufoTmm++8CuRrpJKq3qiyldsid1ddtIMbjZXsYO+x17MwFXmfIGLdhM2iw==
Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 8F0C8690F62
	for <ffmpeg-devel@ffmpeg.org>; Wed,  4 Feb 2026 02:39:51 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 04 Feb 2026 00:39:51 -0000
Message-ID: <177016559194.25.9838724582723861250@4457048688e7>
Message-ID-Hash: 67ZYTSDG4RBLSMO267D6HNISSRRIWXRB
X-Message-ID-Hash: 67ZYTSDG4RBLSMO267D6HNISSRRIWXRB
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] Fix out-of-bounds av_freep call in stsd parser (PR #21641)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/67ZYTSDG4RBLSMO267D6HNISSRRIWXRB/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/177016559194.25.9838724582723861250@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Ted Meyer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Ted Meyer <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/177016559194.25.9838724582723861250@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21641 opened by Ted Meyer (usepgp)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21641
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21641.patch

`sc->stsd_count` can exceed `entries` if in ff_mov_read_stsd_entries
there are multiple skipped stsd blocks. In this case, the `stsd_count`
can get incremented too far, and when failure occurs, an OOB free
happens.


>>From 0eb0d70175402e987a03f93ffe1191aa77f81ba6 Mon Sep 17 00:00:00 2001
From: Ted Meyer <tmathmeyer@chromium.org>
Date: Tue, 3 Feb 2026 16:31:50 -0800
Subject: [PATCH] Fix out-of-bounds av_freep call in stsd parser

`sc->stsd_count` can exceed `entries` if in ff_mov_read_stsd_entries
there are multiple skipped stsd blocks. In this case, the `stsd_count`
can get incremented too far, and when failure occurs, an OOB free
happens.
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d19b213ffa..4deb76d37c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3254,7 +3254,7 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 fail:
     if (sc->extradata) {
         int j;
-        for (j = 0; j < sc->stsd_count; j++)
+        for (j = 0; j < entries; j++)
             av_freep(&sc->extradata[j]);
     }
 
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org