avformat/rtpdec_jpeg: check qtable_len

Fixes: out of array access Fixes: 605/pc.py Based-on patch by depthfirst *Reporter: Zhenpeng (Leo) Lin at depthfirst*
2026-04-23 00:23:57 +00:00
parent 26732641fb
commit 91d29be49a
1 changed files with 6 additions and 0 deletions
@@ -276,6 +276,12 @@ static int jpeg_parse_packet(AVFormatContext *ctx, PayloadContext *jpeg,
                av_log(ctx, AV_LOG_WARNING, "Only 8-bit precision is supported.\n");

            if (qtable_len > 0) {
+                if (qtable_len != 128) {
+                    av_log(ctx, AV_LOG_ERROR, "Invalid RTP/JPEG packet. Invalid qtable length %d.\n", qtable_len);
+                    if (qtable_len%64 || qtable_len > 4*64)
+                        return AVERROR_INVALIDDATA;
+                }
+
                if (len < qtable_len) {
                    av_log(ctx, AV_LOG_ERROR, "Too short RTP/JPEG packet.\n");
                    return AVERROR_INVALIDDATA;