xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/rtpdec_qdm2: Check block_size

Browse Source 
Fixes: out of array access
no testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 29a0973855)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-11-01 02:02:44 +01:00
parent 7aaf8d16b5
commit 7e9f8fe7f9
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtpdec_qdm2.c
+8 -2
View File
@@ -187,8 +187,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, AVStream *st,
*/
static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
{
int to_copy, n, res, include_csum;
int to_copy, n, res;
uint8_t *p, *csum_pos = NULL;
int include_csum = qdm->block_type == 2 || qdm->block_type == 4;
/* create packet to hold subpkts into a superblock */
av_assert0(qdm->cache > 0);
@@ -197,6 +198,11 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
break;
av_assert0(n < 0x80);
int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum;
if (qdm->block_size < min_size)
return AVERROR_INVALIDDATA;
if ((res = av_new_packet(pkt, qdm->block_size)) < 0)
return res;
memset(pkt->data, 0, pkt->size);
@@ -212,7 +218,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
*p++ = qdm->block_type;
*p++ = qdm->len[n];
}
if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) {
if (include_csum) {
csum_pos = p;
p += 2;
}