[FFmpeg-devel] [PR] avformat/rtpdec_mpeg4: reject zero-length AU header sections (PR #22991)

Fri, 01 May 2026 11:06:20 -0700 

PR #22991 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22991
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22991.patch

Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read


>From cfb2d741ffddb4aa326c7b8e2af21fd5e09578ca Mon Sep 17 00:00:00 2001
From: "depthfirst-dev[bot]"
 <1012587+depthfirst-dev[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 02:47:11 +0000
Subject: [PATCH] avformat/rtpdec_mpeg4: reject zero-length AU header sections

Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read
---
 libavformat/rtpdec_mpeg4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 80e89bda70..2a9ee9908a 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -138,7 +138,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const 
uint8_t *buf, int len)
        length in bits */
     au_headers_length = AV_RB16(buf);
 
-    if (au_headers_length > RTP_MAX_PACKET_LENGTH)
+    if (au_headers_length == 0 || au_headers_length > RTP_MAX_PACKET_LENGTH)
       return -1;
 
     data->au_headers_length_bytes = (au_headers_length + 7) / 8;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to