avformat/mov: ensure all items id referenced by a grid are valid

Fixes: null pointer dereference
Fixes: 67494/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6528714521247744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
release/7.0
James Almer 10 months ago
parent 8709604ca1
commit 2ecaef7455
  1. 10
      libavformat/mov.c

@ -9396,8 +9396,9 @@ static int mov_parse_tiles(AVFormatContext *s)
for (int j = 0; j < grid->nb_tiles; j++) { for (int j = 0; j < grid->nb_tiles; j++) {
int tile_id = grid->tile_id_list[j]; int tile_id = grid->tile_id_list[j];
int k;
for (int k = 0; k < mov->nb_heif_item; k++) { for (k = 0; k < mov->nb_heif_item; k++) {
HEIFItem *item = &mov->heif_item[k]; HEIFItem *item = &mov->heif_item[k];
AVStream *st = item->st; AVStream *st = item->st;
@ -9423,6 +9424,13 @@ static int mov_parse_tiles(AVFormatContext *s)
break; break;
} }
if (k == grid->nb_tiles) {
av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't "
"exist\n",
tile_id, grid->item->item_id);
ff_remove_stream_group(s, stg);
loop = 0;
}
if (!loop) if (!loop)
break; break;
} }

Loading…
Cancel
Save