PR #22954 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22954
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22954.patch

We do want to limit an attackers ability to change once parsed structures.
So once extradata (or another array) is finished and possibly has been used we 
do not
want to allow an attacker to change it.

This reduces the attack surface

Signed-off-by: Michael Niedermayer <[email protected]>


>From 413d0adcf3d43d52c037f76000163aa70d4c5d6c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Wed, 29 Apr 2026 01:49:59 +0200
Subject: [PATCH] avformat/mov: check extradata in mov_read_dops()

We do want to limit an attackers ability to change once parsed structures.
So once extradata (or another array) is finished and possibly has been used we 
do not
want to allow an attacker to change it.

This reduces the attack surface

Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 187558e19b..f376c82a94 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8573,7 +8573,7 @@ static int mov_read_dops(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
         return 0;
     st = c->fc->streams[c->fc->nb_streams-1];
 
-    if ((uint64_t)atom.size > (1<<30) || atom.size < 11)
+    if ((uint64_t)atom.size > (1<<30) || atom.size < 11 || 
st->codecpar->extradata)
         return AVERROR_INVALIDDATA;
 
     /* Check OpusSpecificBox version. */
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to