Ruikai Peng 7466d8a850 avformat/whip: check RTP history packet size before RTX retransmission ...

handle_rtx_packet() constructs an RTX packet by shifting the payload
of a history entry to insert the original sequence number. It uses
memmove with length (ori_size - 12), but never checks that ori_size
is at least 12 bytes (the minimum RTP header size).

Zero-initialized history slots have seq == 0 and size == 0.
rtp_history_find() only compares sequence numbers, so an RTCP NACK
requesting seq 0 early in a session matches such a slot. The
subtraction then wraps to a huge value when converted to size_t,
causing a stack buffer overflow in memmove().

Add a little size check to reject history entries smaller than and
valid RTP header before any arithmetic on their size.

Found-by: Pwno

2026-04-02 12:19:09 +00:00

79 KiB

Raw Permalink Blame History

View Raw