This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new a44cae9025 avformat/rtpenc_aac: reject packets smaller than the ADTS
header
a44cae9025 is described below
commit a44cae9025e96be2c220a64ef98a678fe6e0df77
Author: Franciszek Kalinowski <[email protected]>
AuthorDate: Tue May 19 09:33:00 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Thu May 21 01:09:37 2026 +0000
avformat/rtpenc_aac: reject packets smaller than the ADTS header
When extradata_size == 0, ff_rtp_send_aac() does `size -= 7` to skip the
ADTS header without checking size >= 7. A short packet makes size negative,
and the value is later passed to memcpy() as size_t, reading past the buffer
end. Bail out instead.
The vulnerable branch is not reached when using the built-in AAC encoder
(which always emits extradata), but an application that feeds raw
ADTS-stripped AAC packets through the libavformat RTP muxer can hit it. The
fix is a one-line lower-bound check and compiles/runs cleanly; see audit
PoC for the static analysis and reachable-by-API write-up.
Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz
Smigielski.
---
libavformat/rtpenc_aac.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/rtpenc_aac.c b/libavformat/rtpenc_aac.c
index fad8ea2a5b..96bdb3f706 100644
--- a/libavformat/rtpenc_aac.c
+++ b/libavformat/rtpenc_aac.c
@@ -34,6 +34,10 @@ void ff_rtp_send_aac(AVFormatContext *s1, const uint8_t
*buff, int size)
/* skip ADTS header, if present */
if ((s1->streams[0]->codecpar->extradata_size) == 0) {
+ if (size < 7) {
+ av_log(s1, AV_LOG_ERROR, "AAC packet too small for ADTS header\n");
+ return;
+ }
size -= 7;
buff += 7;
}
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
