From 73cb3e57cf2601459f661bb8cb5f7baf1ec0d786 Mon Sep 17 00:00:00 2001
From: Arthur <kimarthx@gmail.com>
Date: Wed, 11 Mar 2026 15:15:45 +0500
Subject: [PATCH] fix: add bounds checks in AAC RTP demuxer to prevent panic

---
 format/rtspv2/demuxer.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/format/rtspv2/demuxer.go b/format/rtspv2/demuxer.go
index 396ca410..80d21bab 100644
--- a/format/rtspv2/demuxer.go
+++ b/format/rtspv2/demuxer.go
@@ -226,14 +226,26 @@ func (client *RTSPClient) handleAudio(content []byte) ([]*av.Packet, bool) {
 			duration = time.Duration(20) * time.Millisecond
 			retmap = client.appendAudioPacket(retmap, nal, duration)
 		case av.AAC:
+			if len(nal) < 2 {
+				break
+			}
 			auHeadersLength := uint16(0) | (uint16(nal[0]) << 8) | uint16(nal[1])
 			auHeadersCount := auHeadersLength >> 4
 			framesPayloadOffset := 2 + int(auHeadersCount)<<1
+			if framesPayloadOffset > len(nal) {
+				break
+			}
 			auHeaders := nal[2:framesPayloadOffset]
 			framesPayload := nal[framesPayloadOffset:]
 			for i := 0; i < int(auHeadersCount); i++ {
+				if len(auHeaders) < 2 {
+					break
+				}
 				auHeader := uint16(0) | (uint16(auHeaders[0]) << 8) | uint16(auHeaders[1])
 				frameSize := auHeader >> 3
+				if int(frameSize) > len(framesPayload) {
+					break
+				}
 				frame := framesPayload[:frameSize]
 				auHeaders = auHeaders[2:]
 				framesPayload = framesPayload[frameSize:]