From cfdabaefa24e846df26ebba124791f4c90302cfe Mon Sep 17 00:00:00 2001
From: sahvx655-wq <sahvx655@gmail.com>
Date: Wed, 3 Jun 2026 23:04:46 +0530
Subject: [PATCH] bounds-check OnUserControlMessage like sibling control
 handlers

---
 src/brpc/policy/rtmp_protocol.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/brpc/policy/rtmp_protocol.cpp b/src/brpc/policy/rtmp_protocol.cpp
index d706468650..056e3a5af0 100644
--- a/src/brpc/policy/rtmp_protocol.cpp
+++ b/src/brpc/policy/rtmp_protocol.cpp
@@ -1925,8 +1925,8 @@ bool RtmpChunkStream::OnSetPeerBandwidth(
 
 bool RtmpChunkStream::OnUserControlMessage(
     const RtmpMessageHeader& mh, butil::IOBuf* msg_body, Socket* socket) {
-    if (mh.message_length > 32) {
-        RTMP_ERROR(socket, mh) << "No user control message long as "
+    if (mh.message_length < 2 || mh.message_length > 32) {
+        RTMP_ERROR(socket, mh) << "Invalid user control message length="
                                << mh.message_length << " bytes";
         return false;
     }