This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 68ea660d83 avformat/mov: reject dimg references with zero entries
68ea660d83 is described below
commit 68ea660d83f27c1f45be12af21e30858d3a2cbeb
Author: depthfirst-dev[bot]
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 23 02:47:11 2026 +0000
Commit: michaelni <[email protected]>
CommitDate: Thu Apr 30 19:19:07 2026 +0000
avformat/mov: reject dimg references with zero entries
Reject dimg entries with a zero reference count in mov_read_iref_dimg().
This is the earliest point where the parser learns how many input images
a derived HEIF item references, so it is the right place to enforce the
invariant.
If entries == 0 is accepted here, the value is stored in HEIFGrid.nb_tiles,
later propagated by read_image_iovl() into AVStreamGroupTileGrid.nb_tiles,
and finally consumed in istg_parse_tile_grid(), which assumes at least one
tile and reads tg->offsets[tg->nb_tiles - 1]. With zero tiles, that
assumption breaks and leads to the out-of-bounds access seen in ASan.
Fixing the problem at the parser boundary is preferable to adding a later
workaround because it prevents creation of an invalid derived-image state
and stops that malformed state from reaching downstream consumers.
This is also consistent with the HEIF specification. Both iovl and grid
derived images are formed from one or more input images, and for grid the
dimg reference count must equal rows * columns; since rows and columns are
encoded as *_minus_one + 1, that count cannot be zero. A zero dimg entry
count is therefore invalid input and should be rejected when parsed.
---
libavformat/mov.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7d00334fae..12fb00be59 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -9217,6 +9217,13 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext
*pb, int version)
return AVERROR_INVALIDDATA;
}
+ entries = avio_rb16(pb);
+ if (!entries) {
+ av_log(c->fc, AV_LOG_ERROR,
+ "Derived image item references no input images\n");
+ return AVERROR_INVALIDDATA;
+ }
+
grid = av_realloc_array(c->heif_grid, c->nb_heif_grid + 1U,
sizeof(*c->heif_grid));
if (!grid)
@@ -9224,7 +9231,6 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext
*pb, int version)
c->heif_grid = grid;
grid = &grid[c->nb_heif_grid];
- entries = avio_rb16(pb);
grid->tile_id_list = av_malloc_array(entries, sizeof(*grid->tile_id_list));
grid->tile_idx_list = av_calloc(entries, sizeof(*grid->tile_idx_list));
grid->tile_item_list = av_calloc(entries, sizeof(*grid->tile_item_list));
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
