Limit RTP/JPEG reassembly to prevent unbounded memory growth (#4764)

2026-06-20 22:17:49 +08:00 · 2026-06-13 21:01:47 -07:00 · 2026-06-13 21:01:47 -07:00 · 5f11d3b3bf
commit 5f11d3b3bf
parent 14fd9187b8
1 changed files with 19 additions and 0 deletions
--- a/ext-codec/JPEGRtp.cpp
+++ b/ext-codec/JPEGRtp.cpp
@ -4,6 +4,11 @@
 using namespace std;
 using namespace mediakit;

+namespace {
+// Prevent unbounded memory growth from malformed/hostile RTP/JPEG streams.
+constexpr size_t kMaxRtpJpegFrameSize = 16 * 1024 * 1024;
+}
+
 #define AV_WB24(p, d)                                                                                                  \
    do {                                                                                                               \
        ((uint8_t *)(p))[2] = (d);                                                                                     \
@ -539,6 +544,13 @@ static int jpeg_parse_packet(void *ctx, PayloadContext *jpeg, uint32_t *timestam
                                            height, qtables,
                                            qtable_len / 64, dri);

+        if ((size_t)jpeg->hdr_size > kMaxRtpJpegFrameSize) {
+            jpeg->frame.clear();
+            av_log(ctx, AV_LOG_ERROR,
+                   "RTP/JPEG header is too large; dropping frame.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        /* Copy JPEG header to frame buffer. */
        avio_write(jpeg->frame, hdr, jpeg->hdr_size);
    }
@ -563,6 +575,13 @@ static int jpeg_parse_packet(void *ctx, PayloadContext *jpeg, uint32_t *timestam
        return AVERROR_EAGAIN;
    }

+    if (jpeg->frame.size() + len + 2 > kMaxRtpJpegFrameSize) {
+        jpeg->frame.clear();
+        av_log(ctx, AV_LOG_ERROR,
+               "RTP/JPEG frame is too large; dropping frame.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    /* Copy data to frame buffer. */
    avio_write(jpeg->frame, buf, len);