This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 120e53d4ee33268e0929f29db70c52b084152b63 Author: bird <[email protected]> AuthorDate: Sun Apr 5 05:52:03 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Thu Jun 18 04:03:04 2026 +0200 avformat/sctp: add size check in sctp_read() matching sctp_write() Commit 5b98cea4 added a size < 2 guard to sctp_write() to prevent out-of-bounds access when max_streams is enabled, but the identical pattern in sctp_read() was not addressed. When max_streams is non-zero, sctp_read() passes (buf + 2, size - 2) to ff_sctp_recvmsg(). If size < 2, size - 2 wraps to a large value on the implicit cast to size_t in the callee. Add the same guard. Signed-off-by: bird <[email protected]> (cherry picked from commit 5c3602abaa50dfe60a3356de5abff73f15df0f99) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/sctp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index f39ba7ebe0..27d493144b 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -311,6 +311,9 @@ static int sctp_read(URLContext *h, uint8_t *buf, int size) } if (s->max_streams) { + if (size < 2) + return AVERROR(EINVAL); + /*StreamId is introduced as a 2byte code into the stream*/ struct sctp_sndrcvinfo info = { 0 }; ret = ff_sctp_recvmsg(s->fd, buf + 2, size - 2, NULL, 0, &info, 0); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
