PR #20812 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20812 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20812.patch
Fixes: out of array access no testcase Found-by: Joshua Rogers <[email protected]> with ZeroPath Signed-off-by: Michael Niedermayer <[email protected]> >From c772162c87dab3db5910db5e33dcc6f6dc34c2ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 1 Nov 2025 02:02:44 +0100 Subject: [PATCH] avformat/rtpdec_qdm2: Check block_size Fixes: out of array access no testcase Found-by: Joshua Rogers <[email protected]> with ZeroPath Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtpdec_qdm2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpdec_qdm2.c b/libavformat/rtpdec_qdm2.c index dce3c48bcc..9d71fe67dd 100644 --- a/libavformat/rtpdec_qdm2.c +++ b/libavformat/rtpdec_qdm2.c @@ -186,8 +186,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, AVStream *st, */ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt) { - int to_copy, n, res, include_csum; + int to_copy, n, res; uint8_t *p, *csum_pos = NULL; + int include_csum = qdm->block_type == 2 || qdm->block_type == 4; /* create packet to hold subpkts into a superblock */ av_assert0(qdm->cache > 0); @@ -196,6 +197,11 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt) break; av_assert0(n < 0x80); + int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum; + + if (qdm->block_size < min_size) + return AVERROR_INVALIDDATA; + if ((res = av_new_packet(pkt, qdm->block_size)) < 0) return res; memset(pkt->data, 0, pkt->size); @@ -211,7 +217,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt) *p++ = qdm->block_type; *p++ = qdm->len[n]; } - if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) { + if (include_csum) { csum_pos = p; p += 2; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
