This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 53cd2c9f2a avformat/mov: Check read size for opus extradata
53cd2c9f2a is described below
commit 53cd2c9f2a3db437ed8d33df5a2681007040f39d
Author: Ted Meyer <[email protected]>
AuthorDate: Wed Apr 22 13:40:53 2026 -0700
Commit: michaelni <[email protected]>
CommitDate: Tue Apr 28 23:46:56 2026 +0000
avformat/mov: Check read size for opus extradata
in mov_read_dops, `size` bytes is allocated for
`st->codecpar->extradata`, but ff_alloc_extradata doesn't memset, so the
contents of that buffer are just old heap data. If `avio_read` reads
fewer bytes than were requested, uninitialized data can still be left in
the extradata buffer, which is operated on by AV_WL16A and AV_WL32A.
I think the best solution here is to just check the read size and ensure
it's filling the extradata buffer in it's entirety, or erroring out if
there isn't enough data left.
---
libavformat/mov.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 187558e19b..8859e296d3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8591,7 +8591,11 @@ static int mov_read_dops(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
AV_WL32A(st->codecpar->extradata, MKTAG('O','p','u','s'));
AV_WL32A(st->codecpar->extradata + 4, MKTAG('H','e','a','d'));
AV_WB8(st->codecpar->extradata + 8, 1); /* OpusHead version */
- avio_read(pb, st->codecpar->extradata + 9, size - 9);
+ if ((ret = ffio_read_size(pb, st->codecpar->extradata + 9, size - 9)) < 0)
{
+ av_freep(&st->codecpar->extradata);
+ st->codecpar->extradata_size = 0;
+ return ret;
+ }
/* OpusSpecificBox is stored in big-endian, but OpusHead is
little-endian; aside from the preceding magic and version they're
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
