From eec78bdac1ae585d7e07df61844684a0e3ec4680 Mon Sep 17 00:00:00 2001 From: "depthfirst-dev[bot]" <1012587+depthfirst-dev[bot]@users.noreply.github.com> Date: Thu, 23 Apr 2026 02:47:11 +0000 Subject: [PATCH] avformat/rtspdec: reject non-positive ANNOUNCE Content-Length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rtsp_read_announce() treated any non-zero Content-Length as valid, including negative values parsed via strtol(). This could send invalid sizes into allocation, body reads and trailing NUL writes. Accept only strictly positive SDP body lengths and reject invalid Content-Length values with AVERROR_INVALIDDATA. Found-by: Seung Min Shin (was reported to us on 10th April) CC: 신승민 Signed-off-by: Michael Niedermayer --- libavformat/rtspdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/rtspdec.c b/libavformat/rtspdec.c index 2c6a7c41bc..e0bdf9d4ac 100644 --- a/libavformat/rtspdec.c +++ b/libavformat/rtspdec.c @@ -191,7 +191,7 @@ static int rtsp_read_announce(AVFormatContext *s) rtsp_send_reply(s, RTSP_STATUS_SERVICE, NULL, request.seq); return AVERROR_OPTION_NOT_FOUND; } - if (request.content_length) { + if (request.content_length > 0) { sdp = av_malloc(request.content_length + 1); if (!sdp) return AVERROR(ENOMEM); @@ -215,10 +215,10 @@ static int rtsp_read_announce(AVFormatContext *s) return 0; } av_log(s, AV_LOG_ERROR, - "Content-Length header value exceeds sdp allocated buffer (4KB)\n"); + "Invalid ANNOUNCE Content-Length %d\n", request.content_length); rtsp_send_reply(s, RTSP_STATUS_INTERNAL, - "Content-Length exceeds buffer size", request.seq); - return AVERROR(EIO); + "Invalid Content-Length", request.seq); + return AVERROR_INVALIDDATA; } static int rtsp_read_options(AVFormatContext *s)