eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-05-09 12:32:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

avformat/rtpdec_mpeg4: reject zero-length AU header sections

Browse Source 
Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read
(cherry picked from commit 8010aa2193)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-23 02:47:11 +00:00
committed by Michael Niedermayer
parent 7e0fac3cbc
commit 856d22943b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtpdec_mpeg4.c
+1 -1
View File
@@ -132,7 +132,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len)
length in bits */
au_headers_length = AV_RB16(buf);
if (au_headers_length > RTP_MAX_PACKET_LENGTH)
if (au_headers_length == 0 || au_headers_length > RTP_MAX_PACKET_LENGTH)
return -1;
data->au_headers_length_bytes = (au_headers_length + 7) / 8;