This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 226934bcc5533769beadf153b8005b42f7f1ede5 Author: Omkhar Arasaratnam <[email protected]> AuthorDate: Thu May 21 00:00:00 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:07 2026 +0200 avformat/mov: cap HEIF ICC profile copies via c*max_streams to bound CPU and memory Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> (cherry picked from commit 711cdae64f572ad2cb2ae879d33ac63f828e6e08) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/isom.h | 1 + libavformat/mov.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index 55bc2827b4..66c73878fa 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -385,6 +385,7 @@ typedef struct MOVContext { int nb_heif_grid; int64_t idat_offset; int interleaved_read; + unsigned heif_icc_profile_items; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 00766a5a09..dbdd85cb40 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2103,6 +2103,12 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); icc_profile = sd->data; } else { + if (c->heif_icc_profile_items >= c->fc->max_streams) { + av_log(c->fc, AV_LOG_WARNING, + "HEIF ICC profile copies exceed cap %d; ignoring further items\n", + c->fc->max_streams); + return 0; + } av_freep(&item->icc_profile); icc_profile = item->icc_profile = av_malloc(atom.size - 4); if (!icc_profile) { @@ -2110,6 +2116,7 @@ static int mov_read_colr(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR(ENOMEM); } item->icc_profile_size = atom.size - 4; + c->heif_icc_profile_items++; } ret = ffio_read_size(pb, icc_profile, atom.size - 4); if (ret < 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
