From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 0575C4B56F
	for <ffmpegdev@gitmailbox.com>; Fri, 24 Oct 2025 18:52:27 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'uJBEmD/kmHxLnWFfG5uAf23waj8DNrT9mb/0OVjBvdI=', expected 
   b'qWUWTJ4N+Cmh4cEBfEC8F1RS2KOkT51Z7s4kAxyxAAA=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1761331937; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=uJBEmD/kmHxLnWFfG5uAf23waj8DNrT9mb/0OVjBvdI=;
 b=0/CZk2JjRZXIdoB6oZWK8IWYMs6hA0xgCPJ3XE7fyYdXBhheSEFlV68rWddzgpE9MheYE
 5SIlLIIKIMsKZjz4uEv/z2B5IjyDz8UbC0Pdm279vditX/zbM581SAkRi/vjZ/39nvtI3Nd
 h/MYwLu72ZQD4TF+QLTHb8A7tINOrl2xXhHjKrw32L/UJlofmCn4Bl/eDg5vk01u5V4UrjK
 XeV4Vk9IVhZ2BDURT/hB6O3YARcuzhBrNArgkYPuk5CJTIMz/D0Y1KQSRpLVfNFibwq1K3a
 vy7ixJUgiHCB1AY4IapBsLu3jQgFweeM70CcS/6pkeYxcgnjO/hY2FrONsog==
Received: from [172.19.0.2] (unknown [172.19.0.2])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id A656468F658;
	Fri, 24 Oct 2025 21:52:17 +0300 (EEST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1761331936;
 b=ZDf4dwdhxDNHoQOUYmjqYrAVFunOxraaOihq652JuNyq0CNaLoG4niqhV5UyxxudWNzQx
 hSGIqj3ZmCMCLs+bZtLMFk5KSuXnHZ47OGHyr9NiI+1hurASUucMZNFenYfmYorJW0QSLrk
 gKNnFgPx1/KwKcZpNFJCFVMYuvyJtbxt+m5L+Mfanmmn9w4w8710YH1qDIkLXQhipOZbPhT
 gkB9muLnnNx04EYhKYFIUuWg0s3kPsplBMcZHQHT0uQFSDMqOwIGDowu0BDhHzSm336twsL
 a4rhEPzURNrBkyxcjGEaS90KNvEtUX4g70b1vzklynnDQF8NfSxWBjs9akBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1761331936; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=quHnXqyXtbC7FIEq/yQ6xyH9urNXkhJHaktF4gHjz1w=;
 b=Of0HuEt34QzxQx9SD8gxCUz4Vrf4ew123XwgT2fan7oaYrSpthGZv9ym3IffDYndmMkbe
 tV3fHiMsDGjoo68bYlDVVaTSOhy5pZCiTjTWfo7g6wYvnmaIqAesoTIto8Lnz0k7vGBvnGI
 fr+PZEasdcpME2u/3/FsaE2JsgzTQCUIWZ9j2VIfAa18zdnZE+aPg5JS/6WDw3mO7lwfBbO
 dvk68z/EMFNKoOnF/HzefHJ3fraXm+NVYH+Z7kYv8rQNOkZRwPw82Ow5EfjuXNV6CCjaw/s
 dASd5/cZw0ZijBgYYY/jSjAPSBayKXsLzcl3NIQp8IauKFR4S7EzFyEOCsvw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1761331930; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=qWUWTJ4N+Cmh4cEBfEC8F1RS2KOkT51Z7s4kAxyxAAA=;
 b=Ts2pwVeWYOxnXlcf8e6kgVlNn2NZGmzFrgj4e13VcIN8ncjLSQHcPoHe7ZTuzD0fwgMEh
 WgoDpwTA6kFU/k4d1vIcGDKyL3yWDVm6zKOF7U/iqUn6wWBmfSbjiPWk548m7RHIsNyR4AW
 NAIyeJ+QY+NvHUkQvVKSUZ1sL8QZK+I+7h2h2t4O7ejjjrWW7IQpuj1gdJimdRfzEYmkUqX
 wOLK8sNVBzfytiuSqmPsgW1jvBJl0Xc646d3ZLH/Os+GfEGQoJx3GmG8m/TvLMdpi268U5E
 zPhEQK+sCzP6K9dDpWONEtWPJvlX0HWO/F6pGUAimGOqVDxq86L7ILqwHqpw==
Received: from 547bf0a948a1 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2A92268F652
	for <ffmpeg-devel@ffmpeg.org>; Fri, 24 Oct 2025 21:52:10 +0300 (EEST)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 24 Oct 2025 18:52:09 -0000
Message-ID: <176133193030.25.2306743551918367776@7d278768979e>
Message-ID-Hash: LTIP773IH5XGI5L3DF6KRTYJ5XRGMLJO
X-Message-ID-Hash: LTIP773IH5XGI5L3DF6KRTYJ5XRGMLJO
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avformat/rtpenc_h264_hevc: Check space for
 nal_length_size in ff_rtp_send_h264_hevc() (PR #20746)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/LTIP773IH5XGI5L3DF6KRTYJ5XRGMLJO/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176133193030.25.2306743551918367776@7d278768979e/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176133193030.25.2306743551918367776@7d278768979e/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #20746 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746.patch

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>


>>From 3924caed9dd6345bcfa5ce09e9dbc8d5403a7525 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 24 Oct 2025 20:29:23 +0200
Subject: [PATCH] avformat/rtpenc_h264_hevc: Check space for nal_length_size in
 ff_rtp_send_h264_hevc()

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpenc_h264_hevc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 4d222dca75..ea19cb0627 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -196,6 +196,8 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const uint8_t *buf1, int size)
             r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
             if (!r1)
                 r1 = end;
+            if (r1 - r < s->nal_length_size)
+                break;
             r += s->nal_length_size;
         } else {
             while (!*(r++));
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org