On Fri, Apr 26, 2024 at 08:57:02PM -0300, James Almer wrote:
> On 4/26/2024 8:52 PM, Michael Niedermayer wrote:
> > Fixes: memleak
> > Fixes: 68212/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4963488540721152
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/mov.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 97a24e6737e..5b8278f736e 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -8136,6 +8136,9 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb, MOVAtom atom, int idx)
> >       avio_rb24(pb);  // flags.
> >       size -= 4;
> > +    if (c->heif_item[idx].name)
> > +        return AVERROR_INVALIDDATA;
> 
> I prefer to free the old one before the av_bprint_finalize() call instead of
> aborting.

does the format allow this to be changing ?

because security wise, allowing an attacker to change things is worse
than allowing her to just set it once.

and heif seems to have a rather high density of issues already, judging
from how many of the recent mov issues where in heif code

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato