[FFmpeg-devel] [PATCH] avformat/hls: fix integer overflow and unbounded memory allocation in intercept_id3

[Baptiste Bd via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>]

[-- Attachment #1: Type: text/plain, Size: 3113 bytes --]

Hello FFmpeg Developers,

I am submitting a patch to fix a security issue in libavformat/hls.c.

During a security audit of the HLS demuxer, I identified an Integer
Overflow vulnerability in the `intercept_id3` function. The variable
`id3_buf_pos` is declared as a signed `int`.

In scenarios where a segment contains a continuous stream of ID3 tags
(malicious or malformed stream), this variable can overflow. This leads to
a negative value being used in memory operations, resulting in a heap
buffer overflow in `av_fast_realloc` and `memcpy`.

Additionally, there was no limit on the total size of accumulated ID3 data,
allowing a malicious stream to trigger an OOM (Out Of Memory) Denial of
Service.

This patch:
1. Promotes `id3_buf_pos` to `uint64_t` to prevent the integer overflow.
2. Adds a hard limit (100MB) to the accumulated ID3 buffer size to mitigate
DoS risks.

The patch file is attached.

Best regards,
0xBat

---

>From 72ab1c568e3a34cc02f5058088b48ebc45e36044 Mon Sep 17 00:00:00 2001
From: OxBat <monsterbat02@gmail.com>
Date: Sun, 4 Jan 2026 21:13:40 +0100
Subject: [PATCH] avformat/hls: fix integer overflow and unbounded memory
 allocation in intercept_id3

The variable `id3_buf_pos` was declared as a signed `int`. In a scenario
where a segment contains a continuous stream of ID3 tags, this variable
could overflow, leading to a negative value.

This negative value is subsequently used in `av_fast_realloc` (casting)
and `memcpy` (pointer arithmetic), resulting in a heap buffer overflow
and potential memory corruption.

Additionally, there was no limit on the total size of accumulated ID3 data,
allowing a malicious stream to cause an OOM (Out Of Memory) Denial of
Service
by triggering massive allocations.

This patch:
1. Changes `id3_buf_pos` to `uint64_t` to prevent integer overflow.
2. Adds a hard limit (100MB) to the accumulated ID3 buffer size.

Signed-off-by: 0xBat <monsterbat02@gmail.com>
Signed-off-by: OxBat <monsterbat02@gmail.com>
---
 libavformat/hls.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index dabfaae5bc..6a215e8193 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -1248,7 +1248,7 @@ static void intercept_id3(struct playlist *pls,
uint8_t *buf,
     /* intercept id3 tags, we do not want to pass them to the raw
      * demuxer on all segment switches */
     int bytes;
-    int id3_buf_pos = 0;
+    uint64_t id3_buf_pos = 0;
     int fill_buf = 0;
     struct segment *seg = current_segment(pls);

@@ -1287,6 +1287,11 @@ static void intercept_id3(struct playlist *pls,
uint8_t *buf,
                        taglen, maxsize);
                 break;
             }
+            /* Sanity check to prevent OOM or overflow with infinite ID3
streams */
+            if (id3_buf_pos + taglen > 100 * 1024 * 1024) {
+                av_log(pls->parent, AV_LOG_ERROR, "ID3 data accumulation
exceeded 100MB limit, aborting to prevent DoS\n");
+                break;
+            }

             /*
              * Copy the id3 tag to our temporary id3 buffer.
-- 
2.52.0.windows.1

[-- Attachment #2: 0001-avformat-hls-fix-integer-overflow-and-unbounded-memo.patch --]
[-- Type: application/octet-stream, Size: 2182 bytes --]

[-- Attachment #3: Type: text/plain, Size: 163 bytes --]

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org