From 13dc17dde984b7697c909d339058e6e38061d277 Mon Sep 17 00:00:00 2001 From: Christopher Date: Tue, 31 Mar 2026 11:23:15 -0500 Subject: [PATCH] fix(h264,homekit): add bounds guards against malformed device data h264 GetFmtpLine: check len(avc) >= 8 and size <= len(avc) before accessing avc[5:8] for the SPS profile bytes. A truncated SPS NALU from a misbehaving device caused an index-out-of-range panic. homekit videoToMedia: clamp profileID and level to the bounds of the videoProfiles/videoLevels tables before indexing them. A non-compliant HomeKit device advertising an out-of-range profile or level value caused an index-out-of-range panic. --- pkg/h264/h264.go | 3 +++ pkg/homekit/helpers.go | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/pkg/h264/h264.go b/pkg/h264/h264.go index 12239536c..257cba05f 100644 --- a/pkg/h264/h264.go +++ b/pkg/h264/h264.go @@ -130,6 +130,9 @@ func GetFmtpLine(avc []byte) string { switch NALUType(avc) { case NALUTypeSPS: + if len(avc) < 8 || size > len(avc) { + return s + } s += ";profile-level-id=" + hex.EncodeToString(avc[5:8]) s += ";sprop-parameter-sets=" + base64.StdEncoding.EncodeToString(avc[4:size]) case NALUTypePPS: diff --git a/pkg/homekit/helpers.go b/pkg/homekit/helpers.go index 625e3ab70..d6c7f8a33 100644 --- a/pkg/homekit/helpers.go +++ b/pkg/homekit/helpers.go @@ -20,9 +20,15 @@ func videoToMedia(codecs []camera.VideoCodecConfiguration) *core.Media { for _, codec := range codecs { for _, param := range codec.CodecParams { - // get best profile and level + // get best profile and level; clamp to table bounds profileID := core.Max(param.ProfileID) + if int(profileID) >= len(videoProfiles) { + profileID = byte(len(videoProfiles) - 1) + } level := core.Max(param.Level) + if int(level) >= len(videoLevels) { + level = byte(len(videoLevels) - 1) + } profile := videoProfiles[profileID] + videoLevels[level] mediaCodec := &core.Codec{ Name: videoCodecs[codec.CodecType],