This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 897ab53e0af24f876031296875e8098e79967b48 Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:11 2026 +0200 avformat/rtspdec: reject non-positive ANNOUNCE Content-Length rtsp_read_announce() treated any non-zero Content-Length as valid, including negative values parsed via strtol(). This could send invalid sizes into allocation, body reads and trailing NUL writes. Accept only strictly positive SDP body lengths and reject invalid Content-Length values with AVERROR_INVALIDDATA. Found-by: Seung Min Shin (was reported to us on 10th April) CC: 신승민 <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit eec78bdac1ae585d7e07df61844684a0e3ec4680) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtspdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rtspdec.c b/libavformat/rtspdec.c index 113da975e1..f56578bae4 100644 --- a/libavformat/rtspdec.c +++ b/libavformat/rtspdec.c @@ -185,7 +185,8 @@ static int rtsp_read_announce(AVFormatContext *s) rtsp_send_reply(s, RTSP_STATUS_SERVICE, NULL, request.seq); return AVERROR_OPTION_NOT_FOUND; } - if (request.content_length && request.content_length < sizeof(sdp) - 1) { + + if (request.content_length > 0 && request.content_length < sizeof(sdp) - 1) { /* Read SDP */ if (ffurl_read_complete(rt->rtsp_hd, sdp, request.content_length) < request.content_length) { @@ -203,10 +204,10 @@ static int rtsp_read_announce(AVFormatContext *s) return 0; } av_log(s, AV_LOG_ERROR, - "Content-Length header value exceeds sdp allocated buffer (4KB)\n"); + "Invalid ANNOUNCE Content-Length %d\n", request.content_length); rtsp_send_reply(s, RTSP_STATUS_INTERNAL, - "Content-Length exceeds buffer size", request.seq); - return AVERROR(EIO); + "Invalid Content-Length", request.seq); + return AVERROR_INVALIDDATA; } static int rtsp_read_options(AVFormatContext *s) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
