This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 1a00ea51cb avformat/rtsp: Fix out-of-bounds read in SDP parser when
control_url is empty
1a00ea51cb is described below
commit 1a00ea51cbaf3967718ee0ceeb51a127d42bd249
Author: depthfirst-dev[bot]
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Wed Apr 22 23:44:01 2026 +0000
Commit: michaelni <[email protected]>
CommitDate: Sun May 3 12:43:05 2026 +0000
avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is
empty
Guard against empty string before reading the last byte in control_url.
When parsing relative a=control: paths, if no base control URL was set,
the code would access control_url[strlen(control_url)-1] which on an
empty string causes a size_t underflow and out-of-bounds read.
Now compute the length first and check for len == 0 before array access.
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
Fixes: DFVULN-611
---
libavformat/rtsp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 6da03d26fe..45b62c4188 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -612,7 +612,8 @@ static void sdp_parse_line(AVFormatContext *s,
SDPParseState *s1,
NULL, NULL, 0, p);
if (proto[0] == '\0') {
/* relative control URL */
- if
(rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/')
+ size_t len = strlen(rtsp_st->control_url);
+ if (len == 0 || rtsp_st->control_url[len - 1] != '/')
av_strlcat(rtsp_st->control_url, "/",
sizeof(rtsp_st->control_url));
av_strlcat(rtsp_st->control_url, p,
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
