This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 5c56b48dbe49b39ca62ee0ce53a0286b90784ca1 Author: bird <[email protected]> AuthorDate: Sun Apr 5 05:52:03 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue Jun 16 05:52:32 2026 +0200 avformat/sctp: add size check in sctp_read() matching sctp_write() Commit 5b98cea4 added a size < 2 guard to sctp_write() to prevent out-of-bounds access when max_streams is enabled, but the identical pattern in sctp_read() was not addressed. When max_streams is non-zero, sctp_read() passes (buf + 2, size - 2) to ff_sctp_recvmsg(). If size < 2, size - 2 wraps to a large value on the implicit cast to size_t in the callee. Add the same guard. Signed-off-by: bird <[email protected]> (cherry picked from commit 5c3602abaa50dfe60a3356de5abff73f15df0f99) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/sctp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a6b991803..0efac12d96 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -309,6 +309,9 @@ static int sctp_read(URLContext *h, uint8_t *buf, int size) } if (s->max_streams) { + if (size < 2) + return AVERROR(EINVAL); + /*StreamId is introduced as a 2byte code into the stream*/ struct sctp_sndrcvinfo info = { 0 }; ret = ff_sctp_recvmsg(s->fd, buf + 2, size - 2, NULL, 0, &info, 0); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
