On Fri, Oct 24, 2025 at 06:03:26PM -0400, Kieran Kunhya via ffmpeg-devel wrote:
> On Fri, 24 Oct 2025, 14:52 michaelni via ffmpeg-devel, <
> ffmpeg-devel@ffmpeg.org> wrote:
> 
> > PR #20746 opened by michaelni
> > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746
> > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746.patch
> >
> > Fixes: memcpy with negative size
> > Fixes: momo_trip-poc/input
> >
> > Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >
> >
> > >From 3924caed9dd6345bcfa5ce09e9dbc8d5403a7525 Mon Sep 17 00:00:00 2001
> > From: Michael Niedermayer <michael@niedermayer.cc>
> > Date: Fri, 24 Oct 2025 20:29:23 +0200
> > Subject: [PATCH] avformat/rtpenc_h264_hevc: Check space for
> > nal_length_size in
> >  ff_rtp_send_h264_hevc()
> >
> > Fixes: memcpy with negative size
> > Fixes: momo_trip-poc/input
> >
> > Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/rtpenc_h264_hevc.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/libavformat/rtpenc_h264_hevc.c
> > b/libavformat/rtpenc_h264_hevc.c
> > index 4d222dca75..ea19cb0627 100644
> > --- a/libavformat/rtpenc_h264_hevc.c
> > +++ b/libavformat/rtpenc_h264_hevc.c
> > @@ -196,6 +196,8 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
> > uint8_t *buf1, int size)
> >              r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
> >              if (!r1)
> >                  r1 = end;
> > +            if (r1 - r < s->nal_length_size)
> > +                break;
> >              r += s->nal_length_size;
> >          } else {
> >              while (!*(r++));
> > --
> > 2.49.1
> >
> 
> Is this not a bug in ff_nal_mp4_find_startcode?
> 
> If not, please add a comment as to the reason this condition happens.

added, not sure how usefull that is though.
Its simply that the last is truncated ff_nal_mp4_find_startcode() returns NULL
which is turned into end and then theres just not enough space for nal_length_size

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle