This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 856d22943b2ffddc39bec732fee76e79243192c8 Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Thu Apr 23 02:47:11 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:15 2026 +0200 avformat/rtpdec_mpeg4: reject zero-length AU header sections Reject AU header sections with a signaled length of zero in rtp_parse_mp4_au(). The AU-headers-length field specifies the length in bits of the AU header section that immediately follows. A zero-length section is not useful input for this parser and can lead to invalid downstream state, so reject it up front together with oversized values. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: OOB read (cherry picked from commit 8010aa2193f5a354394a36eb7bfb57deaaf81c2e) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtpdec_mpeg4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index 34c7950bcc..0b54d417cf 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -132,7 +132,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len) length in bits */ au_headers_length = AV_RB16(buf); - if (au_headers_length > RTP_MAX_PACKET_LENGTH) + if (au_headers_length == 0 || au_headers_length > RTP_MAX_PACKET_LENGTH) return -1; data->au_headers_length_bytes = (au_headers_length + 7) / 8; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
