[FFmpeg-cvslog] [ffmpeg] avformat/rtpdec_av1: fix buffer overflow due to variable confusion (branch release/8.0)

Tue, 12 May 2026 07:15:09 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/8.0
in repository ffmpeg.

The following commit(s) were added to refs/heads/release/8.0 by this push:
     new 4dc102b1f9 avformat/rtpdec_av1: fix buffer overflow due to variable 
confusion
4dc102b1f9 is described below

commit 4dc102b1f99de788bb2c7b7d8f589797aea1715c
Author:     Marvin Scholz <[email protected]>
AuthorDate: Wed Apr 29 13:52:28 2026 +0200
Commit:     Marvin Scholz <[email protected]>
CommitDate: Tue May 12 16:10:13 2026 +0200

    avformat/rtpdec_av1: fix buffer overflow due to variable confusion
    
    The pktpos denotes the position in the output packet buffer, while
    buf_ptr is the position in the input buffer. As this payload is ignored,
    nothing is written to the output packet so increasing the pktpos does
    not make sense here, instead the buf_ptr has to be increased to advance
    the input buffer to the correct position after this OBU.
    
    This incorrect increment here could result in pktpos exceeding the whole
    size of the output packet and the later call to memcpy to write to that
    buffer would start its write way past the end of the packet buffer.
    
    Fix #22812
    
    Reported-By: fre3dm4n
    (cherry picked from commit 18761f9fb55c697243acd41689fbee6a6d6f13ca)
    Signed-off-by: Marvin Scholz <[email protected]>
---
 libavformat/rtpdec_av1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_av1.c b/libavformat/rtpdec_av1.c
index 7cfc83b03c..1eb987368d 100644
--- a/libavformat/rtpdec_av1.c
+++ b/libavformat/rtpdec_av1.c
@@ -249,7 +249,7 @@ static int av1_handle_packet(AVFormatContext *ctx, 
PayloadContext *data,
             // ignore and remove OBUs according to spec
             if ((obu_type == AV1_OBU_TEMPORAL_DELIMITER) ||
                 (obu_type == AV1_OBU_TILE_LIST)) {
-                pktpos += obu_size;
+                buf_ptr += obu_size;
                 rem_pkt_size -= obu_size;
                 // TODO: This probably breaks if the OBU_TILE_LIST is 
fragmented
                 // into the next RTP packet, so at least check and fail here

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to