xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/rtspdec: reject non-positive ANNOUNCE Content-Length

Browse Source 
rtsp_read_announce() treated any non-zero Content-Length as valid,
including negative values parsed via strtol(). This could send invalid
sizes into allocation, body reads and trailing NUL writes.

Accept only strictly positive SDP body lengths and reject invalid
Content-Length values with AVERROR_INVALIDDATA.

Found-by: Seung Min Shin (was reported to us on 10th April)
CC: 신승민 <guncraft2000@naver.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eec78bdac1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-23 02:47:11 +00:00
committed by Michael Niedermayer
parent b6697fbdca
commit 897ab53e0a
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtspdec.c
+5 -4
View File
@@ -185,7 +185,8 @@ static int rtsp_read_announce(AVFormatContext *s)
rtsp_send_reply(s, RTSP_STATUS_SERVICE, NULL, request.seq);
return AVERROR_OPTION_NOT_FOUND;
}
if (request.content_length && request.content_length < sizeof(sdp) - 1) {
if (request.content_length > 0 && request.content_length < sizeof(sdp) - 1) {
/* Read SDP */
if (ffurl_read_complete(rt->rtsp_hd, sdp, request.content_length)
< request.content_length) {
@@ -203,10 +204,10 @@ static int rtsp_read_announce(AVFormatContext *s)
return 0;
}
av_log(s, AV_LOG_ERROR,
"Content-Length header value exceeds sdp allocated buffer (4KB)\n");
"Invalid ANNOUNCE Content-Length %d\n", request.content_length);
rtsp_send_reply(s, RTSP_STATUS_INTERNAL,
"Content-Length exceeds buffer size", request.seq);
return AVERROR(EIO);
"Invalid Content-Length", request.seq);
return AVERROR_INVALIDDATA;
}
static int rtsp_read_options(AVFormatContext *s)