[FFmpeg-devel] [PR] avformat/mxfdec: zero-init Sony MPEG-4 extradata and add padding (PR #23194)

Thu, 21 May 2026 12:24:14 -0700 

PR #23194 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23194
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23194.patch

Found-by: Calm (AI security-research agent, for John Bradley / Credex)


>From c2ea987aa09032ab496da581858d844bb2ad6071 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Thu, 21 May 2026 06:28:15 +0200
Subject: [PATCH] avformat/mxfdec: zero-init Sony MPEG-4 extradata and add
 padding

Found-by: Calm (AI security-research agent, for John Bradley / Credex)
---
 libavformat/mxfdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index a5a8417487..58ea0bbca5 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1438,12 +1438,12 @@ static int mxf_read_generic_descriptor(void *arg, 
AVIOContext *pb, int tag, int
         break;
     default:
         /* Private uid used by SONY C0023S01.mxf */
-        if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) {
+        if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata) && size <= INT_MAX - 
AV_INPUT_BUFFER_PADDING_SIZE) {
             if (descriptor->extradata)
                 av_log(NULL, AV_LOG_WARNING, "Duplicate 
sony_mpeg4_extradata\n");
             av_free(descriptor->extradata);
             descriptor->extradata_size = 0;
-            descriptor->extradata = av_malloc(size);
+            descriptor->extradata = av_mallocz(size + 
AV_INPUT_BUFFER_PADDING_SIZE);
             if (!descriptor->extradata)
                 return AVERROR(ENOMEM);
             descriptor->extradata_size = size;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to