fix: prevent MP4 & PS demuxer panics due to out-of-bounds/underflow (#1995)

Amrit kumar Mahto · Amrit kumar Mahto · commit ca2b708023e5 · 2026-01-08T02:36:30.000+05:30
diff --git a/src/rust/src/demuxer/stream_functions.rs b/src/rust/src/demuxer/stream_functions.rs
@@ -331,8 +331,9 @@ unsafe fn detect_stream_type_common(ctx: &mut CcxDemuxer, ccx_options: &mut Opti
             }
 
             // Now check for PS (Needs PACK header)
+            // We use saturating_sub to avoid underflow if the buffer is tiny.
             let limit = if ctx.startbytes_avail < 50000 {
-                ctx.startbytes_avail - 3
+                ctx.startbytes_avail.saturating_sub(3)
             } else {
                 49997
             } as usize;
@@ -427,8 +428,10 @@ pub fn is_valid_mp4_box(
                 )
             );
 
-            // If the box type is "moov", check if it contains a valid movie header (mvhd)
+            // If the box type is "moov", we need to check if it contains "mvhd".
+            // We must check the buffer length first to avoid an out-of-bounds panic.
             if idx == 2
+                && position + 15 < buffer.len()
                 && !(buffer[position + 12] == b'm'
                     && buffer[position + 13] == b'v'
                     && buffer[position + 14] == b'h'

Original file line number	Diff line number	Diff line change
`@@ -331,8 +331,9 @@ unsafe fn detect_stream_type_common(ctx: &mut CcxDemuxer, ccx_options: &mut Opti`
`331`	`331`	`}`
`332`	`332`
`333`	`333`	`// Now check for PS (Needs PACK header)`
	`334`	`+ // We use saturating_sub to avoid underflow if the buffer is tiny.`
`334`	`335`	`let limit = if ctx.startbytes_avail < 50000 {`
`335`		`- ctx.startbytes_avail - 3`
	`336`	`+ ctx.startbytes_avail.saturating_sub(3)`
`336`	`337`	`} else {`
`337`	`338`	`49997`
`338`	`339`	`} as usize;`
`@@ -427,8 +428,10 @@ pub fn is_valid_mp4_box(`
`427`	`428`	`)`
`428`	`429`	`);`
`429`	`430`
`430`		`- // If the box type is "moov", check if it contains a valid movie header (mvhd)`
	`431`	`+ // If the box type is "moov", we need to check if it contains "mvhd".`
	`432`	`+ // We must check the buffer length first to avoid an out-of-bounds panic.`
`431`	`433`	`if idx == 2`
	`434`	`+ && position + 15 < buffer.len()`
`432`	`435`	`&& !(buffer[position + 12] == b'm'`
`433`	`436`	`&& buffer[position + 13] == b'v'`
`434`	`437`	`&& buffer[position + 14] == b'h'`