This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit c5970938a25dae168fb22853f57572649a65d00f Author: James Almer <[email protected]> AuthorDate: Wed Mar 4 00:06:19 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 15:57:15 2026 +0200 avformat/mov: Fix multiple issues related to mov_read_iref_dimg() forward errors and cleanup in teh failure cases Fixes: freeing uninitialized pointers Fixes: 487160965/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6525162874011648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit f10c0ae276d2907d243351c8f1167f9c26f350a0) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3bd1b90d4e..58330db079 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8841,6 +8841,7 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) HEIFGrid *grid; int entries, i; int from_item_id = version ? avio_rb32(pb) : avio_rb16(pb); + int ret = 0; for (int i = 0; i < c->nb_heif_grid; i++) { if (c->heif_grid[i].item->item_id == from_item_id) { @@ -8875,23 +8876,32 @@ static int mov_read_iref_dimg(MOVContext *c, AVIOContext *pb, int version) if (!grid) return AVERROR(ENOMEM); c->heif_grid = grid; - grid = &grid[c->nb_heif_grid++]; + grid = &grid[c->nb_heif_grid]; entries = avio_rb16(pb); grid->tile_id_list = av_malloc_array(entries, sizeof(*grid->tile_id_list)); grid->tile_item_list = av_calloc(entries, sizeof(*grid->tile_item_list)); - if (!grid->tile_id_list || !grid->tile_item_list) - return AVERROR(ENOMEM); + if (!grid->tile_id_list || !grid->tile_item_list) { + ret = AVERROR(ENOMEM); + goto fail; + } /* 'to' item ids */ for (i = 0; i < entries; i++) grid->tile_id_list[i] = version ? avio_rb32(pb) : avio_rb16(pb); + grid->nb_tiles = entries; grid->item = item; + ++c->nb_heif_grid; av_log(c->fc, AV_LOG_TRACE, "dimg: from_item_id %d, entries %d\n", from_item_id, entries); return 0; +fail: + av_freep(&grid->tile_id_list); + av_freep(&grid->tile_item_list); + + return ret; } static int mov_read_iref_thmb(MOVContext *c, AVIOContext *pb, int version) @@ -8940,8 +8950,12 @@ static int mov_read_iref(MOVContext *c, AVIOContext *pb, MOVAtom atom) type = avio_rl32(pb); switch (type) { case MKTAG('d','i','m','g'): - mov_read_iref_dimg(c, pb, version); + { + int ret = mov_read_iref_dimg(c, pb, version); + if (ret < 0) + return ret; break; + } case MKTAG('t','h','m','b'): mov_read_iref_thmb(c, pb, version); break; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
