PR #22984 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22984
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22984.patch
Reject truncated compressed SWF input before attempting to read the
8-byte header in rtmp_calc_swfhash().
Compressed SWF data identified by the "CWS" signature must be at least
8 bytes long to contain the fixed header. Bail out early when the input
is shorter to avoid operating on malformed data.
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
Fixes: DFVULN-612
>From 57456b72eb769e6239ee99760e7aff3b0c963cf6 Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtmpproto: validate compressed SWF header length
Reject truncated compressed SWF input before attempting to read the
8-byte header in rtmp_calc_swfhash().
Compressed SWF data identified by the "CWS" signature must be at least
8 bytes long to contain the fixed header. Bail out early when the input
is shorter to avoid operating on malformed data.
*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
Fixes: DFVULN-612
---
libavformat/rtmpproto.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 2fa2843c03..2cc6992903 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -1209,6 +1209,10 @@ static int rtmp_calc_swfhash(URLContext *s)
if (!memcmp(in_data, "CWS", 3)) {
#if CONFIG_ZLIB
int64_t out_size;
+ if (in_size < 8) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
/* Decompress the SWF player file using Zlib. */
if (!(out_data = av_malloc(8))) {
ret = AVERROR(ENOMEM);
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]