From 91d29be49a5b0f19dc888ec2d60f6776387d15b8 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 23 Apr 2026 00:23:57 +0000
Subject: [PATCH] avformat/rtpdec_jpeg: check qtable_len

Fixes: out of array access
Fixes: 605/pc.py

Based-on patch by depthfirst

*Reporter: Zhenpeng (Leo) Lin at depthfirst*
---
 libavformat/rtpdec_jpeg.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c
index 4d9ee0d754..1e35378094 100644
--- a/libavformat/rtpdec_jpeg.c
+++ b/libavformat/rtpdec_jpeg.c
@@ -276,6 +276,12 @@ static int jpeg_parse_packet(AVFormatContext *ctx, PayloadContext *jpeg,
                 av_log(ctx, AV_LOG_WARNING, "Only 8-bit precision is supported.\n");
 
             if (qtable_len > 0) {
+                if (qtable_len != 128) {
+                    av_log(ctx, AV_LOG_ERROR, "Invalid RTP/JPEG packet. Invalid qtable length %d.\n", qtable_len);
+                    if (qtable_len%64 || qtable_len > 4*64)
+                        return AVERROR_INVALIDDATA;
+                }
+
                 if (len < qtable_len) {
                     av_log(ctx, AV_LOG_ERROR, "Too short RTP/JPEG packet.\n");
                     return AVERROR_INVALIDDATA;