This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 031b93537fdcc788b051431d8ca6ee7b3c3ced9d Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:14 2026 +0200 avformat/rtmpproto: validate compressed SWF header length Reject truncated compressed SWF input before attempting to read the 8-byte header in rtmp_calc_swfhash(). Compressed SWF data identified by the "CWS" signature must be at least 8 bytes long to contain the fixed header. Bail out early when the input is shorter to avoid operating on malformed data. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-612 (cherry picked from commit 52b78cd3fe411662b1db06e63c17b5d1399155ee) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtmpproto.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 7db1d26142..f8dd7a3899 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -1160,6 +1160,10 @@ static int rtmp_calc_swfhash(URLContext *s) if (!memcmp(in_data, "CWS", 3)) { #if CONFIG_ZLIB int64_t out_size; + if (in_size < 8) { + ret = AVERROR_INVALIDDATA; + goto fail; + } /* Decompress the SWF player file using Zlib. */ if (!(out_data = av_malloc(8))) { ret = AVERROR(ENOMEM); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
