avformat/rtpdec_rfc4175: Check dimensions

author Michael Niedermayer <michael@niedermayer.cc>

Fri, 31 Oct 2025 15:28:49 +0000 (16:28 +0100)

committer Michael Niedermayer <michael@niedermayer.cc>

Wed, 19 Nov 2025 01:05:01 +0000 (02:05 +0100)
author Michael Niedermayer <michael@niedermayer.cc>
Fri, 31 Oct 2025 15:28:49 +0000 (16:28 +0100)
committer Michael Niedermayer <michael@niedermayer.cc>
Wed, 19 Nov 2025 01:05:01 +0000 (02:05 +0100)
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c

index c41e4f19e09965c29b81707de3236c8fbb5ad269..4ad69500aa732cc2f2bde8c3cab4855dbbd6dd57 100644 (file)
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
  #include "avio_internal.h"
  #include "rtpdec_formats.h"
  #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
  #include "libavutil/mem.h"
  #include "libavutil/pixdesc.h"
  #include "libavutil/parseutils.h"
@@ -186,6 +187,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
          if (ret < 0)
              return ret;
  
+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            return ret;
  
          if (!data->sampling || !data->depth || !data->width || !data->height)
              return AVERROR(EINVAL);
@@ -296,6 +300,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
          if (data->interlaced)
              line = 2 * line + field;
  
+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
          /* prevent ill-formed packets to write after buffer's end */
          copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
          if (copy_offset + length > data->frame_size || !data->frame)
author	Michael Niedermayer <michael@niedermayer.cc>
	Fri, 31 Oct 2025 15:28:49 +0000 (16:28 +0100)
committer	Michael Niedermayer <michael@niedermayer.cc>
	Wed, 19 Nov 2025 01:05:01 +0000 (02:05 +0100)