virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-06-19 19:03:00 +02:00
Code Issues Releases Activity

avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty

Browse Source 
Guard against empty string before reading the last byte in control_url.
When parsing relative a=control: paths, if no base control URL was set,
the code would access control_url[strlen(control_url)-1] which on an
empty string causes a size_t underflow and out-of-bounds read.

Now compute the length first and check for len == 0 before array access.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: DFVULN-611
(cherry picked from commit 1a00ea51cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
depthfirst-dev[bot]
2026-04-22 23:44:01 +00:00
committed by Michael Niedermayer
parent 73d0665b8b
commit 4c503ffbfa
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/rtsp.c
+2 -1
View File
@@ -612,7 +612,8 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
NULL, NULL, 0, p);
if (proto[0] == '\0') {
/* relative control URL */
if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/')
size_t len = strlen(rtsp_st->control_url);
if (len == 0 || rtsp_st->control_url[len - 1] != '/')
av_strlcat(rtsp_st->control_url, "/",
sizeof(rtsp_st->control_url));
av_strlcat(rtsp_st->control_url, p,