PR #21561 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21561 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21561.patch
Fixes: out of array access Fixes: VULN-8 Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <[email protected]> >From e378f617e5fa0d6c321e297c0eaab3ee123baeb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 23 Jan 2026 15:28:58 +0100 Subject: [PATCH] avformat/mpegtsenc: Check remaining space in SDT Fixes: out of array access Fixes: VULN-8 Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mpegtsenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index ea7c6065a0..96cdea955e 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -57,6 +57,7 @@ typedef struct MpegTSSection { int discontinuity; void (*write_packet)(struct MpegTSSection *s, const uint8_t *packet); void *opaque; + int remaining; } MpegTSSection; typedef struct MpegTSService { @@ -1018,6 +1019,10 @@ static MpegTSService *mpegts_add_service(AVFormatContext *s, int sid, av_log(s, AV_LOG_ERROR, "Too long service or provider name\n"); goto fail; } + ts->sdt.remaining -= 10 + service->provider_name[0] + service->name[0]; + if (ts->sdt.remaining < 0) + goto fail; + if (av_dynarray_add_nofree(&ts->services, &ts->nb_services, service) < 0) goto fail; @@ -1128,6 +1133,8 @@ static int mpegts_init(AVFormatContext *s) // round up to a whole number of TS packets ts->pes_payload_size = (ts->pes_payload_size + 14 + 183) / 184 * 184 - 14; + ts->sdt.remaining = SECTION_LENGTH - 3; + if (!s->nb_programs) { /* allocate a single DVB service */ if (!mpegts_add_service(s, ts->service_id, s->metadata, NULL)) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
