avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

This combination causes 0 size arrays to be allocated and to leak later Fixes: memleak Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2024-03-20 02:06:34 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2024-03-25 21:41:25 +0100
commit: 3c43299e9e642e73b31be7ac7c49700949946e13 (patch)
tree: 16b1cffb463dce03f5f585e09f9ce87a487dfffc
parent: 6f9e90ab0bede36cc960a099e8f19998345e7164 (diff)
download: ffmpeg-3c43299e9e642e73b31be7ac7c49700949946e13.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8d1135270c..f954b924a0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6994,6 +6994,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     sample_count = avio_rb32(pb);
 
     if (encryption_index->auxiliary_info_default_size == 0) {
+        if (sample_count == 0)
+            return AVERROR_INVALIDDATA;
+
         encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
         if (!encryption_index->auxiliary_info_sizes)
             return AVERROR(ENOMEM);
author	Michael Niedermayer <michael@niedermayer.cc>	2024-03-20 02:06:34 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2024-03-25 21:41:25 +0100
commit	3c43299e9e642e73b31be7ac7c49700949946e13 (patch)
tree	16b1cffb463dce03f5f585e09f9ce87a487dfffc
parent	6f9e90ab0bede36cc960a099e8f19998345e7164 (diff)
download	ffmpeg-3c43299e9e642e73b31be7ac7c49700949946e13.tar.gz