xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/rtpdec_mpeg4: reject zero-length AU header sections

Browse Source 
Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read
This commit is contained in:
depthfirst-dev[bot]
2026-04-23 02:47:11 +00:00
committed by michaelni
parent fd5023053a
commit 8010aa2193
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtpdec_mpeg4.c
+1 -1
View File
@@ -138,7 +138,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len)
length in bits */
au_headers_length = AV_RB16(buf);
if (au_headers_length > RTP_MAX_PACKET_LENGTH)
if (au_headers_length == 0 || au_headers_length > RTP_MAX_PACKET_LENGTH)
return -1;
data->au_headers_length_bytes = (au_headers_length + 7) / 8;