This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 36a9b6c064eb06b63176c1c020a6c516d5a61bd7 Author: Franciszek Kalinowski <[email protected]> AuthorDate: Tue May 19 09:33:00 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:00 2026 +0200 avformat/rtpenc_aac: reject packets smaller than the ADTS header When extradata_size == 0, ff_rtp_send_aac() does `size -= 7` to skip the ADTS header without checking size >= 7. A short packet makes size negative, and the value is later passed to memcpy() as size_t, reading past the buffer end. Bail out instead. The vulnerable branch is not reached when using the built-in AAC encoder (which always emits extradata), but an application that feeds raw ADTS-stripped AAC packets through the libavformat RTP muxer can hit it. The fix is a one-line lower-bound check and compiles/runs cleanly; see audit PoC for the static analysis and reachable-by-API write-up. Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. (cherry picked from commit a44cae9025e96be2c220a64ef98a678fe6e0df77) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtpenc_aac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtpenc_aac.c b/libavformat/rtpenc_aac.c index fad8ea2a5b..96bdb3f706 100644 --- a/libavformat/rtpenc_aac.c +++ b/libavformat/rtpenc_aac.c @@ -34,6 +34,10 @@ void ff_rtp_send_aac(AVFormatContext *s1, const uint8_t *buff, int size) /* skip ADTS header, if present */ if ((s1->streams[0]->codecpar->extradata_size) == 0) { + if (size < 7) { + av_log(s1, AV_LOG_ERROR, "AAC packet too small for ADTS header\n"); + return; + } size -= 7; buff += 7; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
