This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 52b78cd3fe avformat/rtmpproto: validate compressed SWF header length
52b78cd3fe is described below
commit 52b78cd3fe411662b1db06e63c17b5d1399155ee
Author: depthfirst-dev[bot]
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 23 02:47:11 2026 +0000
Commit: michaelni <[email protected]>
CommitDate: Sun May 3 12:43:21 2026 +0000
avformat/rtmpproto: validate compressed SWF header length
Reject truncated compressed SWF input before attempting to read the
8-byte header in rtmp_calc_swfhash().
Compressed SWF data identified by the "CWS" signature must be at least
8 bytes long to contain the fixed header. Bail out early when the input
is shorter to avoid operating on malformed data.
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
Fixes: DFVULN-612
---
libavformat/rtmpproto.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 2fa2843c03..2cc6992903 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -1209,6 +1209,10 @@ static int rtmp_calc_swfhash(URLContext *s)
if (!memcmp(in_data, "CWS", 3)) {
#if CONFIG_ZLIB
int64_t out_size;
+ if (in_size < 8) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
/* Decompress the SWF player file using Zlib. */
if (!(out_data = av_malloc(8))) {
ret = AVERROR(ENOMEM);
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
