PR #23219 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23219 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23219.patch
libavformat/mov.c read the APV AU length field directly from the sample without sanity-checking against the remaining sample size or a documented maximum. The patch validates that au_size is bounded by the remaining sample bytes and that the AU envelope (4 bytes plus au_size) fits inside the declared sample size. Validate the access unit length at the demuxer boundary so that the decoder is not handed an attacker-controllable buffer size. Returns AVERROR_INVALIDDATA on the bound failure with an explicit log line. Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> >From 37731d42e124c7fb473383900453356ea8cea12b Mon Sep 17 00:00:00 2001 From: Omkhar Arasaratnam <[email protected]> Date: Mon, 25 May 2026 04:47:27 +0200 Subject: [PATCH] avformat/mov: validate APV access unit length before passing to decoder libavformat/mov.c read the APV AU length field directly from the sample without sanity-checking against the remaining sample size or a documented maximum. The patch validates that au_size is bounded by the remaining sample bytes and that the AU envelope (4 bytes plus au_size) fits inside the declared sample size. Validate the access unit length at the demuxer boundary so that the decoder is not handed an attacker-controllable buffer size. Returns AVERROR_INVALIDDATA on the bound failure with an explicit log line. Found-by: Claude (Anthropic). Human-verified and reported by Omkhar Arasaratnam <[email protected]>. Signed-off-by: Omkhar Arasaratnam <[email protected]> --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1cda7a1d05..387466b0db 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -11619,6 +11619,12 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) #endif else if (st->codecpar->codec_id == AV_CODEC_ID_APV && sample->size > 4) { const uint32_t au_size = avio_rb32(sc->pb); + if (au_size > (uint32_t)sample->size - 4) { + av_log(s, AV_LOG_ERROR, + "APV au_size %u exceeds sample body %d\n", + au_size, sample->size - 4); + return AVERROR_INVALIDDATA; + } ret = av_get_packet(sc->pb, pkt, au_size); } else ret = av_get_packet(sc->pb, pkt, sample->size); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
