avformat/mov: validate APV access unit length before passing to decoder
authorOmkhar Arasaratnam <omkhar@linkedin.com>
Mon, 25 May 2026 02:47:27 +0000 (04:47 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 Jun 2026 02:59:02 +0000 (04:59 +0200)
commit2d0bdf26af9d6699befb9d320d3fa7d8d1c24f2d
treecd8e32d32eaaa38a82246213704876c7186af728
parentd86d43a5e7fab4cdc6ef0686e54062107d802d77
avformat/mov: validate APV access unit length before passing to decoder

libavformat/mov.c read the APV AU length field directly from the
sample without sanity-checking against the remaining sample size or
a documented maximum. The patch validates that au_size is bounded by
the remaining sample bytes and that the AU envelope (4 bytes plus
au_size) fits inside the declared sample size.

Validate the access unit length at the demuxer boundary so that the
decoder is not handed an attacker-controllable buffer size. Returns
AVERROR_INVALIDDATA on the bound failure with an explicit log line.

Found-by: Claude (Anthropic). Human-verified and reported by
Omkhar Arasaratnam <omkhar@linkedin.com>.
Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com>
(cherry picked from commit 387ad6d1029c6c75a62cf3ed2d2526f8d8329354)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c