PR #22980 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22980
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22980.patch
latm_parse_packet() accumulated attacker-controlled AU length bytes in
a signed int and later checked data->pos + cur_len against data->len.
That addition could overflow, allowing malformed packets to bypass the
bounds check and drive memcpy() far past the end of the LATM buffer.
Reject length-byte accumulation that would exceed the remaining packet
size, and compare cur_len against the remaining buffer space using
subtraction so the bounds check cannot overflow.
Fixes: DFVULN-610
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
>From 6973205ef8f3a138174a6cadd7d66f4f43993da5 Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtpdec_latm: avoid integer overflow in LATM length
parsing
latm_parse_packet() accumulated attacker-controlled AU length bytes in
a signed int and later checked data->pos + cur_len against data->len.
That addition could overflow, allowing malformed packets to bypass the
bounds check and drive memcpy() far past the end of the LATM buffer.
Reject length-byte accumulation that would exceed the remaining packet
size, and compare cur_len against the remaining buffer space using
subtraction so the bounds check cannot overflow.
Fixes: DFVULN-610
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
---
libavformat/rtpdec_latm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/rtpdec_latm.c b/libavformat/rtpdec_latm.c
index 74523c167d..dd374a0e6a 100644
--- a/libavformat/rtpdec_latm.c
+++ b/libavformat/rtpdec_latm.c
@@ -73,11 +73,15 @@ static int latm_parse_packet(AVFormatContext *ctx,
PayloadContext *data,
cur_len = 0;
while (data->pos < data->len) {
uint8_t val = data->buf[data->pos++];
+ if (val > data->len - cur_len) {
+ av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
+ return AVERROR_INVALIDDATA;
+ }
cur_len += val;
if (val != 0xff)
break;
}
- if (data->pos + cur_len > data->len) {
+ if (cur_len > data->len - data->pos) {
av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
return AVERROR(EIO);
}
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]