On Fri, 24 Oct 2025, 14:52 michaelni via ffmpeg-devel, < [email protected]> wrote:
> PR #20746 opened by michaelni > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746 > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746.patch > > Fixes: memcpy with negative size > Fixes: momo_trip-poc/input > > Reported-by: Momoko Shiraishi <[email protected]> > Signed-off-by: Michael Niedermayer <[email protected]> > > > >From 3924caed9dd6345bcfa5ce09e9dbc8d5403a7525 Mon Sep 17 00:00:00 2001 > From: Michael Niedermayer <[email protected]> > Date: Fri, 24 Oct 2025 20:29:23 +0200 > Subject: [PATCH] avformat/rtpenc_h264_hevc: Check space for > nal_length_size in > ff_rtp_send_h264_hevc() > > Fixes: memcpy with negative size > Fixes: momo_trip-poc/input > > Reported-by: Momoko Shiraishi <[email protected]> > Signed-off-by: Michael Niedermayer <[email protected]> > --- > libavformat/rtpenc_h264_hevc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/rtpenc_h264_hevc.c > b/libavformat/rtpenc_h264_hevc.c > index 4d222dca75..ea19cb0627 100644 > --- a/libavformat/rtpenc_h264_hevc.c > +++ b/libavformat/rtpenc_h264_hevc.c > @@ -196,6 +196,8 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const > uint8_t *buf1, int size) > r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size); > if (!r1) > r1 = end; > + if (r1 - r < s->nal_length_size) > + break; > r += s->nal_length_size; > } else { > while (!*(r++)); > -- > 2.49.1 > Is this not a bug in ff_nal_mp4_find_startcode? If not, please add a comment as to the reason this condition happens. Kieran > _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
