[FFmpeg-devel] [PR] avformat/matroskadec: bound TRACKENTRY parsing by max_streams (PR #23271)

michaelni via ffmpeg-devel Fri, 29 May 2026 09:06:53 -0700

PR #23271 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23271
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23271.patch


After the fix the reproducer finishes in 43 ms instead of OOM-ing at the
2 GB limit. Legitimate .mkv/.webm fate samples still parse cleanly.

Fixes: 
471604245/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6662979358883840
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Michael Niedermayer <[email protected]>


>From bc9e8dddc603a5ca8fbdc4702ae20a3cc5e090bd Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Fri, 29 May 2026 17:56:22 +0200
Subject: [PATCH] avformat/matroskadec: bound TRACKENTRY parsing by max_streams

After the fix the reproducer finishes in 43 ms instead of OOM-ing at the
2 GB limit. Legitimate .mkv/.webm fate samples still parse cleanly.

Fixes: 
471604245/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6662979358883840
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/matroskadec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index bc584abc75..16e25a8d44 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1339,6 +1339,13 @@ static int ebml_parse(MatroskaDemuxContext *matroska,
 
             if ((unsigned)list->nb_elem + 1 >= UINT_MAX / 
syntax->list_elem_size)
                 return AVERROR(ENOMEM);
+            if (syntax->id == MATROSKA_ID_TRACKENTRY &&
+                list->nb_elem >= matroska->ctx->max_streams) {
+                av_log(matroska->ctx, AV_LOG_ERROR,
+                       "Number of tracks exceeds max_streams (%d)\n",
+                       matroska->ctx->max_streams);
+                return AVERROR(EINVAL);
+            }
             newelem = av_fast_realloc(list->elem,
                                       &list->alloc_elem_size,
                                       (list->nb_elem + 1) * 
syntax->list_elem_size);
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PR] avformat/matroskadec: bound TRACKENTRY parsing by max_streams (PR #23271)

Reply via email to