avformat/rdt: Check pkt_len

Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-06-07 01:50:00 +02:00 · 2024-06-07 01:50:00 +02:00 · 82dcc0fb8e
commit 82dcc0fb8e
parent 624f15e77d
1 changed files with 2 additions and 0 deletions
--- a/libavformat/rdt.c
+++ b/libavformat/rdt.c
@ -205,6 +205,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len,
            return -1; /* not followed by a data packet */

        pkt_len = AV_RB16(buf+3);
+        if (pkt_len > len)
+            return AVERROR_INVALIDDATA;
        buf += pkt_len;
        len -= pkt_len;
        consumed += pkt_len;