github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-05-01 14:22:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/mov: Check read size for opus extradata

Browse Source 
in mov_read_dops, `size` bytes is allocated for
`st->codecpar->extradata`, but ff_alloc_extradata doesn't memset, so the
contents of that buffer are just old heap data. If `avio_read` reads
fewer bytes than were requested, uninitialized data can still be left in
the extradata buffer, which is operated on by AV_WL16A and AV_WL32A.

I think the best solution here is to just check the read size and ensure
it's filling the extradata buffer in it's entirety, or erroring out if
there isn't enough data left.
This commit is contained in:
Ted Meyer
2026-04-22 13:40:53 -07:00
committed by michaelni
parent bd1587037f
commit 53cd2c9f2a
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libavformat/mov.c
View File

@@ -8591,7 +8591,11 @@ static int mov_read_dops(MOVContext *c, AVIOContext *pb, MOVAtom atom)
AV_WL32A(st->codecpar->extradata, MKTAG('O','p','u','s'));
AV_WL32A(st->codecpar->extradata + 4, MKTAG('H','e','a','d'));
AV_WB8(st->codecpar->extradata + 8, 1); /* OpusHead version */
avio_read(pb, st->codecpar->extradata + 9, size - 9);
if ((ret = ffio_read_size(pb, st->codecpar->extradata + 9, size - 9)) < 0) {
av_freep(&st->codecpar->extradata);
st->codecpar->extradata_size = 0;
return ret;
}
/* OpusSpecificBox is stored in big-endian, but OpusHead is
little-endian; aside from the preceding magic and version they're