PR #22965 opened by Marvin Scholz (ePirat)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22965
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22965.patch
The `pktpos` denotes the position in the output packet buffer, while `buf_ptr`
is the position in the input buffer. As this payload is ignored, nothing is
written to the output packet so increasing the `pktpos` does not make sense
here, instead the `buf_ptr` has to be increased to advance the input buffer to
the correct position after this OBU.
This incorrect increment here could result in `pktpos` exceeding the whole size
of the output packet and the later call to `memcpy` to write to that buffer
would start its write way past the end of the packet buffer.
Fix #22812
Reported-By: @fre3dm4n
Additionally added more safeguards before blindly doing a `memcpy`.
>From e8919c85ef04c07f7841b4e4e471be5461dd9281 Mon Sep 17 00:00:00 2001
From: Marvin Scholz <[email protected]>
Date: Wed, 29 Apr 2026 13:30:51 +0200
Subject: [PATCH 1/2] avformat/rtpdec_av1: harden code against wrong size
calculation
Given how easy it is to get things wrong here, let's better be safe
than sorry and actually check before blindly writing anything.
---
libavformat/rtpdec_av1.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/rtpdec_av1.c b/libavformat/rtpdec_av1.c
index dda17be4a1..7c5ed04536 100644
--- a/libavformat/rtpdec_av1.c
+++ b/libavformat/rtpdec_av1.c
@@ -29,6 +29,7 @@
* caused by packet drops and thus keep the stream syntactically intact.
*/
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/mem.h"
#include "avformat.h"
@@ -333,7 +334,9 @@ static int av1_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
data->frag_lebs_res = 0;
}
// copy verbatim or without above header size patch
- memcpy(pkt->data + pktpos, buf_ptr, obu_payload_size);
+ int remaining_size = pkt->size - pktpos;
+ av_assert0(remaining_size >= 0);
+ memcpy(pkt->data + pktpos, buf_ptr, FFMIN(obu_payload_size,
remaining_size));
pktpos += obu_payload_size;
buf_ptr += obu_payload_size;
rem_pkt_size -= obu_size;
--
2.52.0
>From 6c9660d53d6739a8edf2d9492aa2e2862c92ba83 Mon Sep 17 00:00:00 2001
From: Marvin Scholz <[email protected]>
Date: Wed, 29 Apr 2026 13:52:28 +0200
Subject: [PATCH 2/2] avformat/rtpdec_av1: fix buffer overflow due to variable
confusion
The pktpos denotes the position in the output packet buffer, while
buf_ptr is the position in the input buffer. As this payload is ignored,
nothing is written to the output packet so increasing the pktpos does
not make sense here, instead the buf_ptr has to be increased to advance
the input buffer to the correct position after this OBU.
This incorrect increment here could result in pktpos exceeding the whole
size of the output packet and the later call to memcpy to write to that
buffer would start its write way past the end of the packet buffer.
Fix #22812
Reported-By: fre3dm4n
---
libavformat/rtpdec_av1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/rtpdec_av1.c b/libavformat/rtpdec_av1.c
index 7c5ed04536..f29d0dcd79 100644
--- a/libavformat/rtpdec_av1.c
+++ b/libavformat/rtpdec_av1.c
@@ -250,7 +250,7 @@ static int av1_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
// ignore and remove OBUs according to spec
if ((obu_type == AV1_OBU_TEMPORAL_DELIMITER) ||
(obu_type == AV1_OBU_TILE_LIST)) {
- pktpos += obu_size;
+ buf_ptr += obu_size;
rem_pkt_size -= obu_size;
// TODO: This probably breaks if the OBU_TILE_LIST is
fragmented
// into the next RTP packet, so at least check and fail here
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]