From 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 31 Oct 2025 23:08:45 +0100
Subject: [PATCH] avformat/sctp: Check size in sctp_write()

Fixes: out of array access
No testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sctp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 4122fbe312..9a6b991803 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -332,6 +332,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf, int size)
     }
 
     if (s->max_streams) {
+        if (size < 2)
+            return AVERROR(EINVAL);
+
         /*StreamId is introduced as a 2byte code into the stream*/
         struct sctp_sndrcvinfo info = { 0 };
         info.sinfo_stream           = AV_RB16(buf);