From 5c3602abaa50dfe60a3356de5abff73f15df0f99 Mon Sep 17 00:00:00 2001
From: bird <6666242+bird@users.noreply.github.com>
Date: Sun, 5 Apr 2026 05:52:03 +0000
Subject: [PATCH] avformat/sctp: add size check in sctp_read() matching
 sctp_write()

Commit 5b98cea4 added a size < 2 guard to sctp_write() to prevent
out-of-bounds access when max_streams is enabled, but the identical
pattern in sctp_read() was not addressed.

When max_streams is non-zero, sctp_read() passes (buf + 2, size - 2)
to ff_sctp_recvmsg(). If size < 2, size - 2 wraps to a large value
on the implicit cast to size_t in the callee.

Add the same guard.

Signed-off-by: bird <6666242+bird@users.noreply.github.com>
---
 libavformat/sctp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 9a6b991803..0efac12d96 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -309,6 +309,9 @@ static int sctp_read(URLContext *h, uint8_t *buf, int size)
     }
 
     if (s->max_streams) {
+        if (size < 2)
+            return AVERROR(EINVAL);
+
         /*StreamId is introduced as a 2byte code into the stream*/
         struct sctp_sndrcvinfo info = { 0 };
         ret = ff_sctp_recvmsg(s->fd, buf + 2, size - 2, NULL, 0, &info, 0);