This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 8c7ec4b4b5597185f13cd3ed73776e13666bd804 Author: Ruikai Peng <[email protected]> AuthorDate: Tue Mar 31 21:59:38 2026 -0400 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:51 2026 +0200 avformat/whip: check RTP history packet size before RTX retransmission handle_rtx_packet() constructs an RTX packet by shifting the payload of a history entry to insert the original sequence number. It uses memmove with length (ori_size - 12), but never checks that ori_size is at least 12 bytes (the minimum RTP header size). Zero-initialized history slots have seq == 0 and size == 0. rtp_history_find() only compares sequence numbers, so an RTCP NACK requesting seq 0 early in a session matches such a slot. The subtraction then wraps to a huge value when converted to size_t, causing a stack buffer overflow in memmove(). Add a little size check to reject history entries smaller than and valid RTP header before any arithmetic on their size. Found-by: Pwno (cherry picked from commit 7466d8a8509bcb2f54e4f9e149bded8f413b6e46) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/whip.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/whip.c b/libavformat/whip.c index aeb2c186aa..c079770102 100644 --- a/libavformat/whip.c +++ b/libavformat/whip.c @@ -1906,6 +1906,12 @@ static void handle_rtx_packet(AVFormatContext *s, uint16_t seq) ori_buf = it->buf; ori_size = it->size; + /* A valid RTP packet must have at least a RTP header. */ + if (ori_size < WHIP_RTP_HEADER_SIZE) { + av_log(whip, AV_LOG_WARNING, "RTX history packet too small, size=%d\n", ori_size); + goto end; + } + /* RTX packet format: header + original seq (2 bytes) + payload */ if (ori_size + 2 > sizeof(rtx_buf)) { av_log(whip, AV_LOG_WARNING, "RTX packet is too large, size=%d\n", ori_size); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
