From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 849604DE49
	for <ffmpegdev@gitmailbox.com>; Tue,  6 Jan 2026 12:30:24 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'x8VQR4AbtUqjgeZhoBuBhSvVSq76O6QS2b9G2gNR0Fc=', expected 
   b'k90nqNDyIyjq5E2U1Dvb4YJWNK3SxJReZGLoTFt/ITA=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767702575; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=x8VQR4AbtUqjgeZhoBuBhSvVSq76O6QS2b9G2gNR0Fc=;
 b=U5BQuuPNOh7D4HcSeTb2wH2i7CMhKETadHTKNAiBvEkyusELiwHT+XBZWZs3B7FcKS83S
 ejLNGwGcC4uLLFsWC8HbvMg+AcB1od1wSsSCE05ycmveMWFC0ql9EuPC9Jo/uAaun/GKvWr
 B+V/a3Z/19tTvYqwtJQ4XZMn6xYfD5MYJRLez8bz23YwKH+MytmZTDMgAXke1eIF90/4NFc
 EGPTixUA57kF9clNmAEjhG+1qJGEg42f52yWN89FlbLoSlVlPYTP2NolEelkP1fTzCKIzdT
 kpPKP00wfhxgPBUsdyc7PU8o0dzopH9f/psCt43/w1P7mqs94eQbjAOCpDAg==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id F41A9690D89;
	Tue,  6 Jan 2026 14:29:34 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767702556;
 b=oHv+P+ATHsmEx3YNfGXWtWaA3wlTETS185yzWWv/b9h1jNDEn5hK8ufr+UnhpEM8ABky+
 fVNRRx6YuDOaNNMRz/sBqclazwOa3EyV+Yg3eLMSZubLoYWyOtU+US5Zkc2eScYHuTzRGf2
 czsLG2bxukNh6yb5Iirb2L3Ldlunz6/p75qmuavbbEpyWUoogf/gjQxNsViQOgxTk8bW5jJ
 3AUnLlDY2ddMNNFxE3FgwjOkf/8E2YMyBF9EAKoGI0/Qc1tjfxOSz1qhBRzSs7o3bBNUzm8
 ZysGBJwrM1mhsIX9IxTl8M3KqLEMT0rvcMm9qQMJ/GCzBdO+TtP7rwXxQI0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767702556; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=5cYYN5auCG4uOGiUJQuiHIZGCaC1zwguo4go8KniaZs=;
 b=L263z65w7y2zXgOS+FrsmysPVj7jJDxKvlxXxThOZo8KUxQZGwunc3YeDF67R0p1NuHvW
 EQ/iVJA13B1xXO0bjupnsP6BDw/e/LJqr/j5BXiCpEA8+I2d9BkUTbpePL4972yn38qNNpN
 DNWTK8fTIz7mvzK9XZDlax7UAHEwEJfIYpd5o/gnUf+C37PFgsLeaNlXJuF5SL3r1B8lt00
 y1KPgoQxpc29YFEfkmMuK9cPioGyHFm0cwTtftKGM1gnMb2hrUXpIL0Hl5Q4RUq2b3/qala
 7FpbTRcURpsznQ9Su0DyqjgfFB6zqZz1e6526W6yVRNyLuv2xPYjhsz9Agdg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767702547; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=k90nqNDyIyjq5E2U1Dvb4YJWNK3SxJReZGLoTFt/ITA=;
 b=YFx3KmMredomY+EiVUibw5qDiWTLAwL0pN2V/zcZYLm3l0z8j6QMzwvrkVpT6hRpawdBj
 99Ky5pBcrp5P9r4MWCN8g7O8wPcSg2M/W2eetdvz2bg5WIpK+16D1vlj5MZrun5JONps/JG
 oYoU5KtFLny953Gcp2/bB3WlvNM+c7lplWvrdvHyAKulPWqOhsX6VaZM4KEfBKT2g62asDd
 XB4qYilZshJYHDGEMb8g+WHRtBIVraSDeyxRA4vpJ4fML2Wn3HLRdbKVp3CzxcG9nZwuhCh
 SgLUiKj5zqh2aFaLKecgzr+PjDMG/B2Uaf6+UU7pWBVYffHqgN6aO9LLqYSg==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 049AE6903B1
	for <ffmpeg-devel@ffmpeg.org>; Tue,  6 Jan 2026 14:29:06 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 06 Jan 2026 12:29:06 -0000
Message-ID: <176770254719.25.17651894370820724906@4457048688e7>
Message-ID-Hash: WMFHG4EFUH6VP4WSWDZU5743FPDD5ULW
X-Message-ID-Hash: WMFHG4EFUH6VP4WSWDZU5743FPDD5ULW
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat/rtsp: fix silent input truncation in
 get_word_until_chars (PR #21390)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/WMFHG4EFUH6VP4WSWDZU5743FPDD5ULW/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176770254719.25.17651894370820724906@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: rcx86 via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: rcx86 <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176770254719.25.17651894370820724906@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21390 opened by rcx86
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21390
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21390.patch

The get_word_until_chars function silently truncated input text that exceeded the buffer size, discarding the overflow while advancing the input pointer. This allowed malicious requests (e.g., in SDP parsing) to bypass validation by appending garbage characters to otherwise valid numeric tokens (like ports or payload types), leading to
firewall evasion or protocol smuggling.

Modify get_word_until_chars to return a truncation error. Update callers to propagate this error. Introduce a strict integer parsing helper to reject values with trailing garbage. Update SDP parsing code to validate port and payload type fields strictly.


>>From 3e8db2f023213aaf37919574186c9ede5fd0eff0 Mon Sep 17 00:00:00 2001
From: HACKE-RC <60568652+HACKE-RC@users.noreply.github.com>
Date: Sun, 4 Jan 2026 16:35:43 +0530
Subject: [PATCH] avformat/rtsp: fix silent input truncation in
 get_word_until_chars

The get_word_until_chars function silently truncated input text that
exceeded the buffer size, discarding the overflow while advancing the
input pointer. This allowed malicious requests (e.g., in SDP parsing)
to bypass validation by appending garbage characters to otherwise
valid numeric tokens (like ports or payload types), leading to
firewall evasion or protocol smuggling.

Modify get_word_until_chars to return a truncation error. Update
callers to propagate this error. Introduce a strict integer parsing
helper to reject values with trailing garbage. Update SDP parsing
code to validate port and payload type fields strictly.
---
 libavformat/rtsp.c | 76 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 63 insertions(+), 13 deletions(-)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index e8f44e571a..c6c4c52cab 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -166,35 +166,74 @@ static int copy_tls_opts_dict(RTSPState *rt, AVDictionary **dict)
 
 #undef ERR_RET
 
-static void get_word_until_chars(char *buf, int buf_size,
-                                 const char *sep, const char **pp)
+/**
+ * Parse a word from the input string until a separator is found.
+ * @return 0 on success, 1 if truncation occurred
+ */
+static int get_word_until_chars(char *buf, int buf_size,
+                                const char *sep, const char **pp)
 {
     const char *p;
     char *q;
+    int truncated = 0;
 
     p = *pp;
     p += strspn(p, SPACE_CHARS);
     q = buf;
     while (!strchr(sep, *p) && *p != '\0') {
-        if ((q - buf) < buf_size - 1)
+        if ((q - buf) < buf_size - 1) {
             *q++ = *p;
+        } else {
+            truncated = 1;
+        }
         p++;
     }
     if (buf_size > 0)
         *q = '\0';
     *pp = p;
+    return truncated;
 }
 
-static void get_word_sep(char *buf, int buf_size, const char *sep,
-                         const char **pp)
+static int get_word_sep(char *buf, int buf_size, const char *sep,
+                        const char **pp)
 {
     if (**pp == '/') (*pp)++;
-    get_word_until_chars(buf, buf_size, sep, pp);
+    return get_word_until_chars(buf, buf_size, sep, pp);
 }
 
-static void get_word(char *buf, int buf_size, const char **pp)
+static int get_word(char *buf, int buf_size, const char **pp)
 {
-    get_word_until_chars(buf, buf_size, SPACE_CHARS, pp);
+    return get_word_until_chars(buf, buf_size, SPACE_CHARS, pp);
+}
+
+/**
+ * Parse an integer from a string, rejecting trailing garbage.
+ * Uses strtol with endptr validation, consistent with FFmpeg patterns.
+ * @return 0 on success, -1 on error (empty, trailing garbage, or overflow)
+ */
+static int parse_strict_int(const char *str, int *result)
+{
+    char *endptr;
+    long val;
+
+    if (!str || !*str)
+        return -1;
+
+    val = strtol(str, &endptr, 10);
+
+    /* Skip trailing whitespace */
+    endptr += strspn(endptr, SPACE_CHARS);
+
+    /* Reject if trailing non-whitespace garbage */
+    if (*endptr != '\0')
+        return -1;
+
+    /* Check range (platform-independent) */
+    if (val < INT_MIN || val > INT_MAX)
+        return -1;
+
+    *result = (int)val;
+    return 0;
 }
 
 /** Parse a string p in the form of Range:npt=xx-xx, and determine the start
@@ -452,7 +491,7 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
     char buf1[64], st_type[64];
     const char *p;
     enum AVMediaType codec_type;
-    int payload_type;
+    int payload_type, payload;
     AVStream *st;
     RTSPStream *rtsp_st;
     RTSPSource *rtsp_src;
@@ -540,8 +579,13 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
                                   &rtsp_st->exclude_source_addrs,
                                   &rtsp_st->nb_exclude_source_addrs);
 
-        get_word(buf1, sizeof(buf1), &p); /* port */
-        rtsp_st->sdp_port = atoi(buf1);
+        if (get_word(buf1, sizeof(buf1), &p) ||
+            parse_strict_int(buf1, &rtsp_st->sdp_port) < 0 ||
+            rtsp_st->sdp_port < 0 || rtsp_st->sdp_port > 65535) {
+            av_log(s, AV_LOG_WARNING, "Invalid port in SDP m= line: %s\n", buf1);
+            s1->skip_media = 1;
+            return;
+        }
 
         get_word(buf1, sizeof(buf1), &p); /* protocol */
         if (!strcmp(buf1, "udp"))
@@ -550,8 +594,14 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
             rtsp_st->feedback = 1;
 
         /* XXX: handle list of formats */
-        get_word(buf1, sizeof(buf1), &p); /* format list */
-        rtsp_st->sdp_payload_type = atoi(buf1);
+        if (get_word(buf1, sizeof(buf1), &p) ||
+            parse_strict_int(buf1, &payload) < 0 ||
+            payload < 0 || payload > 127) {
+            av_log(s, AV_LOG_WARNING, "Invalid payload type in SDP: %s\n", buf1);
+            s1->skip_media = 1;
+            return;
+        }
+        rtsp_st->sdp_payload_type = payload;
 
         if (!strcmp(ff_rtp_enc_name(rtsp_st->sdp_payload_type), "MP2T")) {
             /* no corresponding stream */
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org