aunix/ZLMediaKit
1
0
Fork 0
mirror of https://gitee.com/xia-chu/ZLMediaKit.git synced 2026-06-21 22:47:49 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Limit RTP/JPEG reassembly to prevent unbounded memory growth (#4764)
Some checks failed
Android / build (push) Has been cancelled
Details
CodeQL / Analyze (cpp) (push) Has been cancelled
Details
CodeQL / Analyze (javascript) (push) Has been cancelled
Details
Docker / build (push) Has been cancelled
Details
DockerPy / build (push) Has been cancelled
Details
Linux / build (push) Has been cancelled
Details
Linux_Python / build (push) Has been cancelled
Details
macOS / build (push) Has been cancelled
Details
macOS_Python / build (push) Has been cancelled
Details
Windows / build (push) Has been cancelled
Details
Windows_Python / build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
YuLi 2026-06-13 21:01:47 -07:00 committed by GitHub
parent 14fd9187b8
commit 5f11d3b3bf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ext-codec/JPEGRtp.cpp
View File

@ -4,6 +4,11 @@
using namespace std; using namespace std;
using namespace mediakit; using namespace mediakit;
namespace {
// Prevent unbounded memory growth from malformed/hostile RTP/JPEG streams.
constexpr size_t kMaxRtpJpegFrameSize = 16 * 1024 * 1024;
}
#define AV_WB24(p, d) \ #define AV_WB24(p, d) \
do { \ do { \
((uint8_t *)(p))[2] = (d); \ ((uint8_t *)(p))[2] = (d); \
@ -539,6 +544,13 @@ static int jpeg_parse_packet(void *ctx, PayloadContext *jpeg, uint32_t *timestam
height, qtables, height, qtables,
qtable_len / 64, dri); qtable_len / 64, dri);
if ((size_t)jpeg->hdr_size > kMaxRtpJpegFrameSize) {
jpeg->frame.clear();
av_log(ctx, AV_LOG_ERROR,
"RTP/JPEG header is too large; dropping frame.\n");
return AVERROR_INVALIDDATA;
}
/* Copy JPEG header to frame buffer. */ /* Copy JPEG header to frame buffer. */
avio_write(jpeg->frame, hdr, jpeg->hdr_size); avio_write(jpeg->frame, hdr, jpeg->hdr_size);
} }
@ -563,6 +575,13 @@ static int jpeg_parse_packet(void *ctx, PayloadContext *jpeg, uint32_t *timestam
return AVERROR_EAGAIN; return AVERROR_EAGAIN;
} }
if (jpeg->frame.size() + len + 2 > kMaxRtpJpegFrameSize) {
jpeg->frame.clear();
av_log(ctx, AV_LOG_ERROR,
"RTP/JPEG frame is too large; dropping frame.\n");
return AVERROR_INVALIDDATA;
}
/* Copy data to frame buffer. */ /* Copy data to frame buffer. */
avio_write(jpeg->frame, buf, len); avio_write(jpeg->frame, buf, len);