From 856d22943b2ffddc39bec732fee76e79243192c8 Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
 <1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtpdec_mpeg4: reject zero-length AU header sections

Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read
(cherry picked from commit 8010aa2193f5a354394a36eb7bfb57deaaf81c2e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpdec_mpeg4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 34c7950bcc..0b54d417cf 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -132,7 +132,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len)
        length in bits */
     au_headers_length = AV_RB16(buf);
 
-    if (au_headers_length > RTP_MAX_PACKET_LENGTH)
+    if (au_headers_length == 0 || au_headers_length > RTP_MAX_PACKET_LENGTH)
       return -1;
 
     data->au_headers_length_bytes = (au_headers_length + 7) / 8;