From 883885b9cb5cd3e79109ca2f54464013e5f988bb Mon Sep 17 00:00:00 2001
From: tabudz <openhands@all-hands.dev>
Date: Sun, 8 Mar 2026 23:16:08 +0800
Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 3rdparty/ffmpeg/libavformat/rl2.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/3rdparty/ffmpeg/libavformat/rl2.c b/3rdparty/ffmpeg/libavformat/rl2.c
index 50170166..dacd65cd 100644
--- a/3rdparty/ffmpeg/libavformat/rl2.c
+++ b/3rdparty/ffmpeg/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
     }
 
     /** read offset and size tables */
-    for(i=0; i < frame_count;i++)
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_size[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         chunk_offset[i] = avio_rl32(pb);
-    for(i=0; i < frame_count;i++)
+    }
+    for(i=0; i < frame_count;i++) {
+        if (avio_feof(pb))
+            return AVERROR_INVALIDDATA;
         audio_size[i] = avio_rl32(pb) & 0xFFFF;
+    }
 
     /** build the sample index */
     for(i=0;i<frame_count;i++){