This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 797504295bb0706a61ba27ee8e9eaebe783051c0 Author: Ted Meyer <[email protected]> AuthorDate: Wed Apr 22 13:40:53 2026 -0700 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:53 2026 +0200 avformat/mov: Check read size for opus extradata in mov_read_dops, `size` bytes is allocated for `st->codecpar->extradata`, but ff_alloc_extradata doesn't memset, so the contents of that buffer are just old heap data. If `avio_read` reads fewer bytes than were requested, uninitialized data can still be left in the extradata buffer, which is operated on by AV_WL16A and AV_WL32A. I think the best solution here is to just check the read size and ensure it's filling the extradata buffer in it's entirety, or erroring out if there isn't enough data left. (cherry picked from commit 53cd2c9f2a3db437ed8d33df5a2681007040f39d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b0dbe6914f..e9ee06a219 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8585,7 +8585,11 @@ static int mov_read_dops(MOVContext *c, AVIOContext *pb, MOVAtom atom) AV_WL32A(st->codecpar->extradata, MKTAG('O','p','u','s')); AV_WL32A(st->codecpar->extradata + 4, MKTAG('H','e','a','d')); AV_WB8(st->codecpar->extradata + 8, 1); /* OpusHead version */ - avio_read(pb, st->codecpar->extradata + 9, size - 9); + if ((ret = ffio_read_size(pb, st->codecpar->extradata + 9, size - 9)) < 0) { + av_freep(&st->codecpar->extradata); + st->codecpar->extradata_size = 0; + return ret; + } /* OpusSpecificBox is stored in big-endian, but OpusHead is little-endian; aside from the preceding magic and version they're _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
