From d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 31 Oct 2025 16:28:49 +0100
Subject: [PATCH] avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpdec_rfc4175.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d793f56949..b49fc55d2d 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -25,6 +25,7 @@
 #include "rtpdec_formats.h"
 #include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -193,6 +194,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
         if (ret < 0)
             goto fail;
 
+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            goto fail;
 
         stream->codecpar->width = data->width;
         stream->codecpar->height = data->height;
@@ -303,6 +307,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
         if (data->interlaced)
             line = 2 * line + field;
 
+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
         /* prevent ill-formed packets to write after buffer's end */
         copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
         if (copy_offset + length > data->frame_size || !data->frame)