This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit d773a4ab252e9c244a78314055e015d4a3ab3651 Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Wed Apr 22 23:44:01 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:14 2026 +0200 avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty Guard against empty string before reading the last byte in control_url. When parsing relative a=control: paths, if no base control URL was set, the code would access control_url[strlen(control_url)-1] which on an empty string causes a size_t underflow and out-of-bounds read. Now compute the length first and check for len == 0 before array access. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-611 (cherry picked from commit 1a00ea51cbaf3967718ee0ceeb51a127d42bd249) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtsp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 63a360e2c2..7a1a312839 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -585,9 +585,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, NULL, NULL, 0, p); if (proto[0] == '\0') { /* relative control URL */ - if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/') - av_strlcat(rtsp_st->control_url, "/", - sizeof(rtsp_st->control_url)); + size_t len = strlen(rtsp_st->control_url); + if (len == 0 || rtsp_st->control_url[len - 1] != '/') + av_strlcat(rtsp_st->control_url, "/", + sizeof(rtsp_st->control_url)); av_strlcat(rtsp_st->control_url, p, sizeof(rtsp_st->control_url)); } else _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
