[FFmpeg-cvslog] [ffmpeg] 111/127: avformat/rtpdec_latm: avoid integer overflow in LATM length parsing

Tue, 05 May 2026 10:46:17 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/4.4
in repository ffmpeg.

commit ebc5fd31d0e9341a688e669674a2f13ccb423d72
Author:     depthfirst-dev[bot] 
<1012587+depthfirst-dev[bot]@users.noreply.github.com>
AuthorDate: Thu Apr 23 02:47:11 2026 +0000
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Tue May 5 18:55:14 2026 +0200

    avformat/rtpdec_latm: avoid integer overflow in LATM length parsing
    
    latm_parse_packet() accumulated attacker-controlled AU length bytes in
    a signed int and later checked data->pos + cur_len against data->len.
    That addition could overflow, allowing malformed packets to bypass the
    bounds check and drive memcpy() far past the end of the LATM buffer.
    
    Reject length-byte accumulation that would exceed the remaining packet
    size, and compare cur_len against the remaining buffer space using
    subtraction so the bounds check cannot overflow.
    
    Fixes: DFVULN-610
    
    *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
    *Patch validated by Zheng Yu at depthfirst*
    
    (cherry picked from commit 664d44a8254813a6d78432e57e02223a1e185467)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/rtpdec_latm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_latm.c b/libavformat/rtpdec_latm.c
index 104a00af18..e2ecd540ba 100644
--- a/libavformat/rtpdec_latm.c
+++ b/libavformat/rtpdec_latm.c
@@ -72,11 +72,15 @@ static int latm_parse_packet(AVFormatContext *ctx, 
PayloadContext *data,
     cur_len = 0;
     while (data->pos < data->len) {
         uint8_t val = data->buf[data->pos++];
+        if (val > data->len - cur_len) {
+            av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
+            return AVERROR_INVALIDDATA;
+        }
         cur_len += val;
         if (val != 0xff)
             break;
     }
-    if (data->pos + cur_len > data->len) {
+    if (cur_len > data->len - data->pos) {
         av_log(ctx, AV_LOG_ERROR, "Malformed LATM packet\n");
         return AVERROR(EIO);
     }

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to