The branch, master has been updated
via d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089 (commit)
via c03e49dd1d8ee2dd21c24002dfac95644c830498 (commit)
via af3dee313223c722c34e8231cd6859188928a6e3 (commit)
from a8dd83b4b17de6a740bf55928b0a9b4f8c7d8626 (commit)
- Log -----------------------------------------------------------------
commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 8 18:41:24 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d793f56949..b49fc55d2d 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -25,6 +25,7 @@
#include "rtpdec_formats.h"
#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/mem.h"
#include "libavutil/pixdesc.h"
#include "libavutil/parseutils.h"
@@ -193,6 +194,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
goto fail;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
@@ -303,6 +307,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (data->interlaced)
line = 2 * line + field;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size || !data->frame)
commit c03e49dd1d8ee2dd21c24002dfac95644c830498
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 8 18:41:24 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index c41e4f19e0..d793f56949 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/mem.h"
#include "libavutil/pixdesc.h"
@@ -172,30 +173,36 @@ static int rfc4175_parse_fmtp(AVFormatContext *s,
AVStream *stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
- if (ret < 0)
- return ret;
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+ if (ret < 0)
+ goto fail;
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return AVERROR(EINVAL);
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit af3dee313223c722c34e8231cd6859188928a6e3
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 8 18:41:17 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d6260ab69e..c41e4f19e0 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -128,7 +128,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
-----------------------------------------------------------------------
Summary of changes:
libavformat/rtpdec_rfc4175.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
