[FFmpeg-cvslog] [ffmpeg] avformat/rtpdec_latm: avoid integer overflow in LATM length parsing (branch master)

Sun, 03 May 2026 05:43:58 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 664d44a825 avformat/rtpdec_latm: avoid integer overflow in LATM length 
parsing
664d44a825 is described below

commit 664d44a8254813a6d78432e57e02223a1e185467
Author:     depthfirst-dev[bot] 
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 23 02:47:11 2026 +0000
Commit:     michaelni <[email protected]>
CommitDate: Sun May 3 12:42:57 2026 +0000

    avformat/rtpdec_latm: avoid integer overflow in LATM length parsing
    
    latm_parse_packet() accumulated attacker-controlled AU length bytes in
    a signed int and later checked data->pos + cur_len against data->len.
    That addition could overflow, allowing malformed packets to bypass the
    bounds check and drive memcpy() far past the end of the LATM buffer.
    
    Reject length-byte accumulation that would exceed the remaining packet
    size, and compare cur_len against the remaining buffer space using
    subtraction so the bounds check cannot overflow.
    
    Fixes: DFVULN-610
    
    *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
    *Patch validated by Zheng Yu at depthfirst*
---
 libavformat/rtpdec_latm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_latm.c b/libavformat/rtpdec_latm.c
index 74523c167d..dd374a0e6a 100644
--- a/libavformat/rtpdec_latm.c
+++ b/libavformat/rtpdec_latm.c
@@ -73,11 +73,15 @@ static int latm_parse_packet(AVFormatContext *ctx, 
PayloadContext *data,
     cur_len = 0;
     while (data->pos < data->len) {
         uint8_t val = data->buf[data->pos++];
+        if (val > data->len - cur_len) {
+            av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
+            return AVERROR_INVALIDDATA;
+        }
         cur_len += val;
         if (val != 0xff)
             break;
     }
-    if (data->pos + cur_len > data->len) {
+    if (cur_len > data->len - data->pos) {
         av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
         return AVERROR(EIO);
     }

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to