This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 18761f9fb5 avformat/rtpdec_av1: fix buffer overflow due to variable
confusion
18761f9fb5 is described below
commit 18761f9fb55c697243acd41689fbee6a6d6f13ca
Author: Marvin Scholz <[email protected]>
AuthorDate: Wed Apr 29 13:52:28 2026 +0200
Commit: Marvin Scholz <[email protected]>
CommitDate: Tue May 12 16:02:51 2026 +0200
avformat/rtpdec_av1: fix buffer overflow due to variable confusion
The pktpos denotes the position in the output packet buffer, while
buf_ptr is the position in the input buffer. As this payload is ignored,
nothing is written to the output packet so increasing the pktpos does
not make sense here, instead the buf_ptr has to be increased to advance
the input buffer to the correct position after this OBU.
This incorrect increment here could result in pktpos exceeding the whole
size of the output packet and the later call to memcpy to write to that
buffer would start its write way past the end of the packet buffer.
Fix #22812
Reported-By: fre3dm4n
---
libavformat/rtpdec_av1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/rtpdec_av1.c b/libavformat/rtpdec_av1.c
index dda17be4a1..91f75326f7 100644
--- a/libavformat/rtpdec_av1.c
+++ b/libavformat/rtpdec_av1.c
@@ -249,7 +249,7 @@ static int av1_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
// ignore and remove OBUs according to spec
if ((obu_type == AV1_OBU_TEMPORAL_DELIMITER) ||
(obu_type == AV1_OBU_TILE_LIST)) {
- pktpos += obu_size;
+ buf_ptr += obu_size;
rem_pkt_size -= obu_size;
// TODO: This probably breaks if the OBU_TILE_LIST is
fragmented
// into the next RTP packet, so at least check and fail here
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
