avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access Fixes: zeropath/int_overflow_in_rtpdec_rfc4175 Found-by: Joshua Rogers <joshua@joshua.hu> Reviewed-by: Joshua Rogers <joshua@joshua.hu> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-11-29 05:57:37 +02:00 · 2025-10-31 16:28:49 +01:00
parent c03e49dd1d
commit d4e0d5ed48
1 changed files with 7 additions and 0 deletions
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -25,6 +25,7 @@
 #include "rtpdec_formats.h"
 #include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -193,6 +194,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
        if (ret < 0)
            goto fail;

+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            goto fail;

        stream->codecpar->width = data->width;
        stream->codecpar->height = data->height;
@@ -303,6 +307,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
        if (data->interlaced)
            line = 2 * line + field;

+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
        /* prevent ill-formed packets to write after buffer's end */
        copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
        if (copy_offset + length > data->frame_size || !data->frame)