avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access Fixes: zeropath/int_overflow_in_rtpdec_rfc4175 Found-by: Joshua Rogers <joshua@joshua.hu> Reviewed-by: Joshua Rogers <joshua@joshua.hu> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d4e0d5ed48) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-12-15 19:40:07 +01:00 · 2025-10-31 16:28:49 +01:00
parent 51b5e19aa5
commit f1b3d804db
1 changed files with 7 additions and 0 deletions
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
 #include "avio_internal.h"
 #include "rtpdec_formats.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -186,6 +187,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
        if (ret < 0)
            return ret;

+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            return ret;

        if (!data->sampling || !data->depth || !data->width || !data->height)
            return AVERROR(EINVAL);
@@ -296,6 +300,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
        if (data->interlaced)
            line = 2 * line + field;

+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
        /* prevent ill-formed packets to write after buffer's end */
        copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
        if (copy_offset + length > data->frame_size || !data->frame)