From 1a00ea51cbaf3967718ee0ceeb51a127d42bd249 Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
 <1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Wed, 22 Apr 2026 23:44:01 +0000
Subject: [PATCH] avformat/rtsp: Fix out-of-bounds read in SDP parser when
 control_url is empty

Guard against empty string before reading the last byte in control_url.
When parsing relative a=control: paths, if no base control URL was set,
the code would access control_url[strlen(control_url)-1] which on an
empty string causes a size_t underflow and out-of-bounds read.

Now compute the length first and check for len == 0 before array access.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: DFVULN-611
---
 libavformat/rtsp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 6da03d26fe..45b62c4188 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -612,7 +612,8 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
                              NULL, NULL, 0, p);
                 if (proto[0] == '\0') {
                     /* relative control URL */
-                    if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/')
+                    size_t len = strlen(rtsp_st->control_url);
+                    if (len == 0 || rtsp_st->control_url[len - 1] != '/')
                         av_strlcat(rtsp_st->control_url, "/",
                                    sizeof(rtsp_st->control_url));
                     av_strlcat(rtsp_st->control_url, p,