From a58cb16e27bc0c32906cfb3de36e4a495c0a8602 Mon Sep 17 00:00:00 2001
From: Ted Meyer <tmathmeyer@chromium.org>
Date: Tue, 3 Feb 2026 16:31:50 -0800
Subject: [PATCH] Fix overflow in STSD parser

Reset `sc->stsd_count` before parsing entries. This number doesn't get
reset, which means that multiple parse passes can increment it past the
`sc->extradata` array end and cause OOB writes.
---
 libavformat/mov.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d19b213ffa..1a4450153f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3258,6 +3258,7 @@ fail:
             av_freep(&sc->extradata[j]);
     }
 
+    sc->stsd_count = 0;
     av_freep(&sc->extradata);
     av_freep(&sc->extradata_size);
     return ret;