From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 39C644DA8F
	for <ffmpegdev@gitmailbox.com>; Tue, 23 Dec 2025 03:19:31 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'GlO2VRCsEENcfd47GYe8YfneeKvMssZhPJnbAbBdUz4=', expected 
   b'6A2yzH0Y/er0jUKS5SkH0+jsbQ85Ci/AAQ4FszyIfhE=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1766459963; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=GlO2VRCsEENcfd47GYe8YfneeKvMssZhPJnbAbBdUz4=;
 b=V6QQT9QoNFkAacJmHRU+pXbU93fQmISvyL+dxjqnwLKp4Wr6Y0rp1z4gsaoKpG3N0AD4F
 EoEIchKxrCgOhO3EWjmfmmUQ5gbCbmXPUsZ3OG5eZhCBzig1UBMDUTdm7xk0hpK/GxxHxvt
 jbgGpTg5JvyJQkrq/SquvjQlPKaWCQyEv372uZ+nRg3TGkIvyO2I/CtJrsFHqAErXatu+2P
 isql7ePqfdggoOqwy0LV9xazSWjcqfuqTbM+Jml0DeP1xtAIm3mcmWdRNdo748m9gagBVbj
 UFeim4Jsc5/rZHzg/9UsOokvZjUQdHdWn73lY28FIaSkq0c95xFb8WWpbTLg==
Received: from [172.20.0.2] (unknown [172.19.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 462AE690B0C;
	Tue, 23 Dec 2025 05:19:23 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1766459955;
 b=d0YbyYuxFomdcLM8zMPxOzmoOwmtmCAVhm1F9WN7WykC5yPciE1GLqATMg8z3PBOqfpFb
 gbJ9+qhozUnWLGJQ3ohsSLGNdeYb7FaOa8M1qV3tH/7xB3UvgrbCV2ZrdmBBAtL6LQiu27H
 nEuf8munof0+pT0ate+6ZkygRyyh8RshblCgeGN7IIFh6VaURLxUGKPe2AqPlgZ5u/vU/fY
 MCWCh3TZSaHR9ua6r47bZI/rwJ6aXLhW8kfv9gq+L1bMyEcVQsfrxxtGn+txHvK5UT8g7SQ
 mJjlL9N4ZtpXmH2fi6Huw2ICK6T1OpPZW1bi3AFkJQB+Gk+TUC6CxdlqHu0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1766459955; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=aKoptR+oCdGqDr3Es4BZaphaP5n5uXtCuSocHSfQodk=;
 b=D40nrG0C9fwYLQgQbGVPHtwHa6ls3x6m0oHPPzsVtBWjVibQ7yzmqv2tFjW9/wcSNL8Yq
 NSLpzYxcQQ/8tsJLCgPmgyLl5wuHFIH5pUeZa2XzLK592llzC4T7btppm6Xw/P7Jpl4D5le
 rpDt0VG+mkJcw0U9GQBCcfXTg6xw2YeBYSw4WJWiUAz/vqmH24t79P1EPNUebooOyCdgFY0
 7oO2OHsK5aGIGJzQWbWH9PM0CWKmisF98g40DOOaRVZeEcvb2K4vva18OxWicbmU46UcDj0
 68DUl8lZUE9RICtbnCnxNqiuuEE2yIgkykLSof4rZ8nIJO+oYnEF6DUEPgyg==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1766459947; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=6A2yzH0Y/er0jUKS5SkH0+jsbQ85Ci/AAQ4FszyIfhE=;
 b=qyt48dZ1QPbH/L39YgaoGN+NIB2mhE6+R4WiDjKL3/19djW8adJT4sW4T4q0nWtVj818U
 kUFnj69VGFylNuRrAbazJ9Du0K9bs6lKiz7I65OarwAw2p+xlmaGzHTQbXgp1MWE14ILImt
 g1yLzD90+sTts7MZLDQtqlYdExrK6ISSS4/4inWcoRKhep2nuH6/4fF2xTs3BL2nMq824pv
 9a2SekK2gf98YMcllYcawYKv6ClL+mx8G/ECP1uFKWz0Rabe+U0jBRd/Z3h4Tee75JdupwH
 lCfvxs8Hf3/nC368+DQ8s7cdll6yP/LwPDrOGPSI+DazgC7KSZP1PQdwbbxQ==
Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id DE60F690A8B
	for <ffmpeg-devel@ffmpeg.org>; Tue, 23 Dec 2025 05:19:07 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 23 Dec 2025 03:19:07 -0000
Message-ID: <176645994803.60.15447752206645176016@2cb04c0e5124>
Message-ID-Hash: D7G7WJZSM4LPQDHHYJ3AMBL3LGQ5Y64M
X-Message-ID-Hash: D7G7WJZSM4LPQDHHYJ3AMBL3LGQ5Y64M
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] hls: fix 2 issues from
 464965411/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-4790164406992896
 (PR #21279)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/D7G7WJZSM4LPQDHHYJ3AMBL3LGQ5Y64M/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176645994803.60.15447752206645176016@2cb04c0e5124/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176645994803.60.15447752206645176016@2cb04c0e5124/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21279 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21279
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21279.patch


>>From 15aac980e8ed30cf04e1804ae0db66200207214c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 22 Dec 2025 23:59:53 +0100
Subject: [PATCH 1/2] avformat/hls: Check seg size and offset for overflow

Fixes: integer overflow
Fixes: signed integer overflow: 9223372036854775807 + 2039324394 cannot be represented in type 'int64_t' (aka 'long')

Found-by:  continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hls.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 22ee1c6872..11d3050b20 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -975,6 +975,10 @@ static int parse_playlist(HLSContext *c, const char *url,
             ptr = strchr(ptr, '@');
             if (ptr)
                 seg_offset = strtoll(ptr+1, NULL, 10);
+            if (seg_size < 0 ||  seg_offset > INT64_MAX - seg_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
         } else if (av_strstart(line, "#", NULL)) {
             av_log(c->ctx, AV_LOG_VERBOSE, "Skip ('%s')\n", line);
             continue;
-- 
2.49.1


>>From 75b5ca736df05b35be1eb30a1ae3ca99e6f15bea Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 23 Dec 2025 00:09:05 +0100
Subject: [PATCH 2/2] avformat/hls: Fix arguments of handle_rendition_args()

Fixes: call to function handle_rendition_args through pointer to incorrect function type 'void (*)(void *, const char *, int, char **, int *)'
Fixes: 464965411/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-4790164406992896

Found-by:  continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hls.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 11d3050b20..bc5494e42d 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -574,9 +574,11 @@ static struct rendition *new_rendition(HLSContext *c, struct rendition_info *inf
     return rend;
 }
 
-static void handle_rendition_args(struct rendition_info *info, const char *key,
+static void handle_rendition_args(void *vinfo, const char *key,
                                   int key_len, char **dest, int *dest_len)
 {
+    struct rendition_info *info = vinfo;
+
     if (!strncmp(key, "TYPE=", key_len)) {
         *dest     =        info->type;
         *dest_len = sizeof(info->type);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org