Skip to content

fix: add bounds checks in AAC RTP demuxer to prevent panic#126

Open
kimarti wants to merge 1 commit into
deepch:masterfrom
kimarti:fix/aac-rtp-bounds-check
Open

fix: add bounds checks in AAC RTP demuxer to prevent panic#126
kimarti wants to merge 1 commit into
deepch:masterfrom
kimarti:fix/aac-rtp-bounds-check

Conversation

@kimarti

@kimarti kimarti commented Mar 11, 2026

Copy link
Copy Markdown 
 panic: runtime error: slice bounds out of range [:4624] with capacity 1292

goroutine 10714598 [running]:
github.com/deepch/vdk/format/rtspv2.(*RTSPClient).RTPDemuxer(0xc0004d2a00, 0xc0002d6240?)
        github.com/deepch/vdk@v0.0.27/format/rtspv2/client.go:815 +0x247b
github.com/deepch/vdk/format/rtspv2.(*RTSPClient).startStream(0xc0004d2a00)
        github.com/deepch/vdk@v0.0.27/format/rtspv2/client.go:314 +0x53c
created by github.com/deepch/vdk/format/rtspv2.Dial in goroutine 68
        github.com/deepch/vdk@v0.0.27/format/rtspv2/client.go:243 +0x1905

This happens in a goroutine spawned by Dial, so the caller cannot
recover from it — the panic kills the entire process.

Add bounds checks before slicing in the case av.AAC branch:

  1. Validate framesPayloadOffset does not exceed len(nal)
  2. Validate len(auHeaders) >= 2 before reading AU-header bytes
  3. Validate frameSize does not exceed len(framesPayload)

Malformed packets are silently skipped instead of crashing.

Cacsjep added a commit to Cacsjep/vdk that referenced this pull request May 27, 2026
@Cacsjep
rtspv2: add robustness fixes and tests
783fcd3 
Add several robustness fixes to the RTSP demuxer and client and introduce unit tests.

- Add mergeResponseHeader to preserve Digest over Basic in WWW-Authenticate responses (prefer strongest scheme) to avoid downgrading to Basic (backports upstream PR deepch#104) and use it when parsing response headers.
- Use RFC 7826 default ports: 322 for rtsps and 554 for rtsp (backports upstream PR deepch#118) when parsing URLs; normalize unknown schemes to rtsp. Add URL parsing tests.
- Fix RTP timestamp slice to read exactly 4 bytes (avoid leaking SSRC into timestamp) (backports upstream PR deepch#119) and add tests verifying timestamp behavior.
- Harden H.264 STAP-A parsing to guard against size==0 causing OOB reads (prevents panics, referenced upstream issue deepch#114).
- Add bounds checks in AAC handling to avoid panics from malformed AU headers and frame sizes (backports upstream PR deepch#126).
- Add comprehensive tests: client_test.go and demuxer_test.go covering URL parsing, WWW-Authenticate merging, H.264 STAP-A, AAC malformed packets, metadata reassembly, and other demuxer behaviors. Remove older demuxer_metadata_test.go in favor of unified tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kimarti