This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit 7f76c7c1f833e28db9ed2fdd96232250c9239a1b Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Wed Apr 22 23:44:01 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 15:57:30 2026 +0200 avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty Guard against empty string before reading the last byte in control_url. When parsing relative a=control: paths, if no base control URL was set, the code would access control_url[strlen(control_url)-1] which on an empty string causes a size_t underflow and out-of-bounds read. Now compute the length first and check for len == 0 before array access. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-611 (cherry picked from commit 1a00ea51cbaf3967718ee0ceeb51a127d42bd249) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtsp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index f89bd3aa46..9f59f604d3 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -585,9 +585,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, NULL, NULL, 0, p); if (proto[0] == '\0') { /* relative control URL */ - if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/') - av_strlcat(rtsp_st->control_url, "/", - sizeof(rtsp_st->control_url)); + size_t len = strlen(rtsp_st->control_url); + if (len == 0 || rtsp_st->control_url[len - 1] != '/') + av_strlcat(rtsp_st->control_url, "/", + sizeof(rtsp_st->control_url)); av_strlcat(rtsp_st->control_url, p, sizeof(rtsp_st->control_url)); } else _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
