github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-30 22:00:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/rtspdec: reject non-positive ANNOUNCE Content-Length

Browse Source 
rtsp_read_announce() treated any non-zero Content-Length as valid,
including negative values parsed via strtol(). This could send invalid
sizes into allocation, body reads and trailing NUL writes.

Accept only strictly positive SDP body lengths and reject invalid
Content-Length values with AVERROR_INVALIDDATA.

Found-by: Seung Min Shin (was reported to us on 10th April)
CC: 신승민 <guncraft2000@naver.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-23 02:47:11 +00:00
committed by Marvin Scholz
parent 9eaa559847
commit eec78bdac1
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavformat/rtspdec.c
View File

@@ -191,7 +191,7 @@ static int rtsp_read_announce(AVFormatContext *s)
rtsp_send_reply(s, RTSP_STATUS_SERVICE, NULL, request.seq);
return AVERROR_OPTION_NOT_FOUND;
}
if (request.content_length) {
if (request.content_length > 0) {
sdp = av_malloc(request.content_length + 1);
if (!sdp)
return AVERROR(ENOMEM);
@@ -215,10 +215,10 @@ static int rtsp_read_announce(AVFormatContext *s)
return 0;
}
av_log(s, AV_LOG_ERROR,
"Content-Length header value exceeds sdp allocated buffer (4KB)\n");
"Invalid ANNOUNCE Content-Length %d\n", request.content_length);
rtsp_send_reply(s, RTSP_STATUS_INTERNAL,
"Content-Length exceeds buffer size", request.seq);
return AVERROR(EIO);
"Invalid Content-Length", request.seq);
return AVERROR_INVALIDDATA;
}
static int rtsp_read_options(AVFormatContext *s)