PR #22980 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22980
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22980.patch

latm_parse_packet() accumulated attacker-controlled AU length bytes in
a signed int and later checked data->pos + cur_len against data->len.
That addition could overflow, allowing malformed packets to bypass the
bounds check and drive memcpy() far past the end of the LATM buffer.

Reject length-byte accumulation that would exceed the remaining packet
size, and compare cur_len against the remaining buffer space using
subtraction so the bounds check cannot overflow.

Fixes: DFVULN-610

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*


>From 6973205ef8f3a138174a6cadd7d66f4f43993da5 Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
 <1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtpdec_latm: avoid integer overflow in LATM length
 parsing

latm_parse_packet() accumulated attacker-controlled AU length bytes in
a signed int and later checked data->pos + cur_len against data->len.
That addition could overflow, allowing malformed packets to bypass the
bounds check and drive memcpy() far past the end of the LATM buffer.

Reject length-byte accumulation that would exceed the remaining packet
size, and compare cur_len against the remaining buffer space using
subtraction so the bounds check cannot overflow.

Fixes: DFVULN-610

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
---
 libavformat/rtpdec_latm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_latm.c b/libavformat/rtpdec_latm.c
index 74523c167d..dd374a0e6a 100644
--- a/libavformat/rtpdec_latm.c
+++ b/libavformat/rtpdec_latm.c
@@ -73,11 +73,15 @@ static int latm_parse_packet(AVFormatContext *ctx, 
PayloadContext *data,
     cur_len = 0;
     while (data->pos < data->len) {
         uint8_t val = data->buf[data->pos++];
+        if (val > data->len - cur_len) {
+            av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
+            return AVERROR_INVALIDDATA;
+        }
         cur_len += val;
         if (val != 0xff)
             break;
     }
-    if (data->pos + cur_len > data->len) {
+    if (cur_len > data->len - data->pos) {
         av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
         return AVERROR(EIO);
     }
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to