From 52b78cd3fe411662b1db06e63c17b5d1399155ee Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
 <1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtmpproto: validate compressed SWF header length

Reject truncated compressed SWF input before attempting to read the
8-byte header in rtmp_calc_swfhash().

Compressed SWF data identified by the "CWS" signature must be at least
8 bytes long to contain the fixed header. Bail out early when the input
is shorter to avoid operating on malformed data.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: DFVULN-612
---
 libavformat/rtmpproto.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 2fa2843c03..2cc6992903 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -1209,6 +1209,10 @@ static int rtmp_calc_swfhash(URLContext *s)
     if (!memcmp(in_data, "CWS", 3)) {
 #if CONFIG_ZLIB
         int64_t out_size;
+        if (in_size < 8) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         /* Decompress the SWF player file using Zlib. */
         if (!(out_data = av_malloc(8))) {
             ret = AVERROR(ENOMEM);