This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 4c503ffbfa66388bd46e1d2c7eac30dbd13b4131 Author: depthfirst-dev[bot] <1012587+depthfirst-dev[bot]@users.noreply.github.com> AuthorDate: Wed Apr 22 23:44:01 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:57:03 2026 +0200 avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty Guard against empty string before reading the last byte in control_url. When parsing relative a=control: paths, if no base control URL was set, the code would access control_url[strlen(control_url)-1] which on an empty string causes a size_t underflow and out-of-bounds read. Now compute the length first and check for len == 0 before array access. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-611 (cherry picked from commit 1a00ea51cbaf3967718ee0ceeb51a127d42bd249) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index e5fb75013c..b5d69b23d5 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -612,7 +612,8 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, NULL, NULL, 0, p); if (proto[0] == '\0') { /* relative control URL */ - if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/') + size_t len = strlen(rtsp_st->control_url); + if (len == 0 || rtsp_st->control_url[len - 1] != '/') av_strlcat(rtsp_st->control_url, "/", sizeof(rtsp_st->control_url)); av_strlcat(rtsp_st->control_url, p, _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
