From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 52F214E524
	for <ffmpegdev@gitmailbox.com>; Sat, 24 Jan 2026 07:51:39 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'nSELLXVlyPVZx7q0Tp0X3M5snNA7IkpibW/G+nrKPkU=', expected 
   b'Q8jTii9yP16ADutsH2E71y0yUuGARyo4jCbouISfqOY=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1769241078; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=nSELLXVlyPVZx7q0Tp0X3M5snNA7IkpibW/G+nrKPkU=;
 b=btSZxhUYi8MbWqZ7mXsLLmA7VcPFeB6MbUDPxiK8ty9fp1VR3VWN3gnjVEGp836bprKOc
 C0XuFWd3DT3Xu+MEMT6v+PUfWetHs6HFqF4e8VzHKGX9YlmrQw4Htsvx6jtCyvRQG2736t/
 SGLlVCuq7IsxmI5k0JVspGz7cagEbIScv3SE+2r9ouN/AmmZp+3SICkdzH305vvlumu2z7T
 2l49o888LTL8Fk6LMJ+PEVxX337dJzpmcUg8jyMVGG5NnhaQqbSmJF58vV6oPVN8JiZarAn
 /pcGuFf9z4WtzBrPccGfAM1BbZLKkf5nG5yh59sNGDsWEnEzqd2bxVjrzLVw==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 8A342690ED2;
	Sat, 24 Jan 2026 09:51:18 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1769241062;
 b=AQurfTUjOJKFzhqdnjFCm/AMzLoD6oeCMNaEQAbOeIrkryvyUR4Zur1D7O39ptC8zAXcX
 5YOh1sUC2ihd4C03O0ZxLyZlTCLuGc46RbunrA8msP13dX1ZysV9lSfSBwf2Gd68x1WNlcw
 iHpXi0VkirOn4b5XWCS8BF2NVyxgYX5ic9hkEHUuaRXtzDub9eSw1/jOQwkH1GduyoWlDyU
 OP616onuX2jnRnu9dzrwQf9mWB6YcYclnd8BrldW6iie8DBwhXENve1MNYEh3gfvr+HtKh/
 Mw5k+/Hy04uX55Za/Jqs2KeOp4v3+M6uPGEZhH3MNjlPO9YunZv2T1W5yhyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1769241062; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=qGS8N4TThFGvCU3pJXuhF+nMehfPspxKbt0BDURZ0Xc=;
 b=dguxRUREvWVYpPIE0BKHvWK1MXlr1qIjss0xz4jBt6dUnd2zNA/rdEJtazd1HSt0rMqmR
 IT3scf/3x9jWQkNSHd/+RMAzMm6r6PpEo0gzpz9ZLBfU37C+52GtHRW3oPfm6fquGGeqrgK
 1IIAsY8NW3kBEgT0RbNbgFtoiCNt3Tr5EDgJ6L6iDI6wsNa75TL/mc6gTocYaMsF+CHAgid
 C99PHnt0jmBCDIVjYcDiqOK75RT/pxbzWce8uhxIiYFkH0zDXeadxU7kLuInIyBGeAudhT3
 GwlmiEMWKI/q3JsQvDWW85cq2oxQUMzpHdIH81+5MwvWaxXahX7g69PxJdlw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1769241053; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=Q8jTii9yP16ADutsH2E71y0yUuGARyo4jCbouISfqOY=;
 b=mhgttJvEMB/Lz1jdQJugpVCdfJGnAkeh73p94g6P+YjbN+hFpUTViXaC9MP1ajC+nBT9i
 DHvznEgK9+6rInoaLHF2aaPwh/j/tsGrX1EB6MHONubpu+Mvsj/17gKzxq2HyTiLVIutfyY
 L1MR2H3WKFuIwnAJZ7Au7P6thj1OHdbKIDXCDTw/uSSagGl59eb0H+nQfrjX2ob1OsaJOKj
 N+xusKgt8RRyZqIvXK+ThBRzB+nF0TiE8psQfMK80F3PCQZ/RuHqY12q0c98Twk+ng3uZ57
 iGMYm9zLRMefSaP9anf0bFMP9opZUd8oKZN+wo5e6SfopClgRtayb9ApnM7A==
Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id F168C690A03
	for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Jan 2026 09:50:52 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 24 Jan 2026 07:50:52 -0000
Message-ID: <176924105313.25.11045927441474285348@4457048688e7>
Message-ID-Hash: BGX3HXKI3JOM2HCI2IDJSJF7IO23WRPI
X-Message-ID-Hash: BGX3HXKI3JOM2HCI2IDJSJF7IO23WRPI
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avformat/dashdec: check value valid after read value from
 mpd xml (PR #21568)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/BGX3HXKI3JOM2HCI2IDJSJF7IO23WRPI/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176924105313.25.11045927441474285348@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: stevenliu via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: stevenliu <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176924105313.25.11045927441474285348@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21568 opened by stevenliu
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21568
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21568.patch

before this commit ffmpeg get Heap Buffer Overflow in DASH Demuxer
via Negative Start Number.
Check the value from mpd xml, set the value to 0 if get negative value.

Fixes: heap buffer overflow
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>


>>From e0f26e0019ea8b4f17de56eddac943b5e2c7093f Mon Sep 17 00:00:00 2001
From: Steven Liu <lq@chinaffmpeg.org>
Date: Sat, 24 Jan 2026 15:22:15 +0800
Subject: [PATCH] avformat/dashdec: check value valid after read value from mpd
 xml

before this commit ffmpeg get Heap Buffer Overflow in DASH Demuxer
via Negative Start Number.
Check the value from mpd xml, set the value to 0 if get negative value.

Fixes: heap buffer overflow
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
---
 libavformat/dashdec.c | 49 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 7 deletions(-)

diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index 500d8ca518..a41f4b7c5f 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -957,25 +957,45 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url,
         }
         val = get_val_from_nodes_tab(fragment_templates_tab, 4, "presentationTimeOffset");
         if (val) {
-            rep->presentation_timeoffset = (int64_t) strtoll(val, NULL, 10);
+            int64_t presentation_timeoffset = (int64_t) strtoll(val, NULL, 10);
+            if (presentation_timeoffset < 0) {
+                av_log(s, AV_LOG_WARNING, "The presentationTimeOffset value invalid, autochanged to 0.\n");
+                presentation_timeoffset = 0;
+            }
+            rep->presentation_timeoffset = presentation_timeoffset;
             av_log(s, AV_LOG_TRACE, "rep->presentation_timeoffset = [%"PRId64"]\n", rep->presentation_timeoffset);
             xmlFree(val);
         }
         val = get_val_from_nodes_tab(fragment_templates_tab, 4, "duration");
         if (val) {
-            rep->fragment_duration = (int64_t) strtoll(val, NULL, 10);
+            int64_t fragment_duration = (int64_t) strtoll(val, NULL, 10);
+            if (fragment_duration < 0) {
+                av_log(s, AV_LOG_WARNING, "The duration value invalid, autochanged to 0.\n");
+                fragment_duration = 0;
+            }
+            rep->fragment_duration = fragment_duration;
             av_log(s, AV_LOG_TRACE, "rep->fragment_duration = [%"PRId64"]\n", rep->fragment_duration);
             xmlFree(val);
         }
         val = get_val_from_nodes_tab(fragment_templates_tab, 4, "timescale");
         if (val) {
-            rep->fragment_timescale = (int64_t) strtoll(val, NULL, 10);
+            int64_t fragment_timescale = (int64_t) strtoll(val, NULL, 10);
+            if (fragment_timescale < 0) {
+                av_log(s, AV_LOG_WARNING, "The timescale value invalid, autochanged to 0.\n");
+                fragment_timescale = 0;
+            }
+            rep->fragment_timescale = fragment_timescale;
             av_log(s, AV_LOG_TRACE, "rep->fragment_timescale = [%"PRId64"]\n", rep->fragment_timescale);
             xmlFree(val);
         }
         val = get_val_from_nodes_tab(fragment_templates_tab, 4, "startNumber");
         if (val) {
-            rep->start_number = rep->first_seq_no = (int64_t) strtoll(val, NULL, 10);
+            int64_t start_number = (int64_t) strtoll(val, NULL, 10);
+            if (start_number < 0) {
+                av_log(s, AV_LOG_WARNING, "The startNumber value invalid, autochanged to 0.\n");
+                start_number = 0;
+            }
+            rep->start_number = rep->first_seq_no = start_number;
             av_log(s, AV_LOG_TRACE, "rep->first_seq_no = [%"PRId64"]\n", rep->first_seq_no);
             xmlFree(val);
         }
@@ -1037,19 +1057,34 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url,
 
         val = get_val_from_nodes_tab(segmentlists_tab, 3, "duration");
         if (val) {
-            rep->fragment_duration = (int64_t) strtoll(val, NULL, 10);
+            int64_t fragment_duration = (int64_t) strtoll(val, NULL, 10);
+            if (fragment_duration < 0) {
+                av_log(s, AV_LOG_WARNING, "The duration value invalid, autochanged to 0.\n");
+                fragment_duration = 0;
+            }
+            rep->fragment_duration = fragment_duration;
             av_log(s, AV_LOG_TRACE, "rep->fragment_duration = [%"PRId64"]\n", rep->fragment_duration);
             xmlFree(val);
         }
         val = get_val_from_nodes_tab(segmentlists_tab, 3, "timescale");
         if (val) {
-            rep->fragment_timescale = (int64_t) strtoll(val, NULL, 10);
+            int64_t fragment_timescale = (int64_t) strtoll(val, NULL, 10);
+            if (fragment_timescale < 0) {
+                av_log(s, AV_LOG_WARNING, "The timescale value invalid, autochanged to 0.\n");
+                fragment_timescale = 0;
+            }
+            rep->fragment_timescale = fragment_timescale;
             av_log(s, AV_LOG_TRACE, "rep->fragment_timescale = [%"PRId64"]\n", rep->fragment_timescale);
             xmlFree(val);
         }
         val = get_val_from_nodes_tab(segmentlists_tab, 3, "startNumber");
         if (val) {
-            rep->start_number = rep->first_seq_no = (int64_t) strtoll(val, NULL, 10);
+            int64_t start_number = (int64_t) strtoll(val, NULL, 10);
+            if (start_number < 0) {
+                av_log(s, AV_LOG_WARNING, "The startNumber value invalid, autochanged to 0.\n");
+                start_number = 0;
+            }
+            rep->start_number = rep->first_seq_no = start_number;
             av_log(s, AV_LOG_TRACE, "rep->first_seq_no = [%"PRId64"]\n", rep->first_seq_no);
             xmlFree(val);
         }
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org