xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty

Browse Source 
Guard against empty string before reading the last byte in control_url.
When parsing relative a=control: paths, if no base control URL was set,
the code would access control_url[strlen(control_url)-1] which on an
empty string causes a size_t underflow and out-of-bounds read.

Now compute the length first and check for len == 0 before array access.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: DFVULN-611
(cherry picked from commit 1a00ea51cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-22 23:44:01 +00:00
committed by Michael Niedermayer
parent ebc5fd31d0
commit d773a4ab25
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtsp.c
+4 -3
View File
@@ -585,9 +585,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
NULL, NULL, 0, p);
if (proto[0] == '\0') {
/* relative control URL */
if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/')
av_strlcat(rtsp_st->control_url, "/",
sizeof(rtsp_st->control_url));
size_t len = strlen(rtsp_st->control_url);
if (len == 0 || rtsp_st->control_url[len - 1] != '/')
av_strlcat(rtsp_st->control_url, "/",
sizeof(rtsp_st->control_url));
av_strlcat(rtsp_st->control_url, p,
sizeof(rtsp_st->control_url));
} else