github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/sctp: add size check in sctp_read() matching sctp_write()

Browse Source 
Commit 5b98cea4 added a size < 2 guard to sctp_write() to prevent
out-of-bounds access when max_streams is enabled, but the identical
pattern in sctp_read() was not addressed.

When max_streams is non-zero, sctp_read() passes (buf + 2, size - 2)
to ff_sctp_recvmsg(). If size < 2, size - 2 wraps to a large value
on the implicit cast to size_t in the callee.

Add the same guard.

Signed-off-by: bird <6666242+bird@users.noreply.github.com>
This commit is contained in:
bird
2026-04-05 05:52:03 +00:00
committed by Marton Balint
parent db53fe1ac2
commit 5c3602abaa
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/sctp.c
View File

@@ -309,6 +309,9 @@ static int sctp_read(URLContext *h, uint8_t *buf, int size)
}
if (s->max_streams) {
if (size < 2)
return AVERROR(EINVAL);
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
ret = ff_sctp_recvmsg(s->fd, buf + 2, size - 2, NULL, 0, &info, 0);