From f1b3d804db08509fa122bb56fa28f52cb7ae42ac Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 31 Oct 2025 16:28:49 +0100
Subject: [PATCH] avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpdec_rfc4175.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index c41e4f19e0..4ad69500aa 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
 #include "avio_internal.h"
 #include "rtpdec_formats.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -186,6 +187,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
         if (ret < 0)
             return ret;
 
+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            return ret;
 
         if (!data->sampling || !data->depth || !data->width || !data->height)
             return AVERROR(EINVAL);
@@ -296,6 +300,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
         if (data->interlaced)
             line = 2 * line + field;
 
+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
         /* prevent ill-formed packets to write after buffer's end */
         copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
         if (copy_offset + length > data->frame_size || !data->frame)