[FFmpeg-cvslog] [ffmpeg] 147/193: avformat/rtpdec_qdm2: Check block_size

Mon, 04 May 2026 08:19:25 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/7.1
in repository ffmpeg.

commit b479e4f408566ff0cdb478e0e559adc907df4a11
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 1 02:02:44 2025 +0100
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Mon May 4 15:57:25 2026 +0200

    avformat/rtpdec_qdm2: Check block_size
    
    Fixes: out of array access
    no testcase
    
    Found-by: Joshua Rogers <[email protected]> with ZeroPath
    Signed-off-by: Michael Niedermayer <[email protected]>
    (cherry picked from commit 29a097385573645590418db12cc340f4bd60be7c)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/rtpdec_qdm2.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtpdec_qdm2.c b/libavformat/rtpdec_qdm2.c
index dce3c48bcc..9d71fe67dd 100644
--- a/libavformat/rtpdec_qdm2.c
+++ b/libavformat/rtpdec_qdm2.c
@@ -186,8 +186,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, 
AVStream *st,
  */
 static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
 {
-    int to_copy, n, res, include_csum;
+    int to_copy, n, res;
     uint8_t *p, *csum_pos = NULL;
+    int include_csum = qdm->block_type == 2 || qdm->block_type == 4;
 
     /* create packet to hold subpkts into a superblock */
     av_assert0(qdm->cache > 0);
@@ -196,6 +197,11 @@ static int qdm2_restore_block(PayloadContext *qdm, 
AVStream *st, AVPacket *pkt)
             break;
     av_assert0(n < 0x80);
 
+    int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum;
+
+    if (qdm->block_size < min_size)
+        return AVERROR_INVALIDDATA;
+
     if ((res = av_new_packet(pkt, qdm->block_size)) < 0)
         return res;
     memset(pkt->data, 0, pkt->size);
@@ -211,7 +217,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream 
*st, AVPacket *pkt)
         *p++ = qdm->block_type;
         *p++ = qdm->len[n];
     }
-    if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) {
+    if (include_csum) {
         csum_pos = p;
         p       += 2;
     }

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to