From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 5AE284DD35 for ; Tue, 6 Jan 2026 02:12:12 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'9PIyjmXKuC41DVW27n+RPuR3pxMNDtlJOfcRPhmiu64=', expected b'pYlx3xm0j+zID/73jJ1+wL/OecZUmRpe63udMDFVX+E=')) header.d=gmail.com header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1767665463; h=mime-version : date : message-id : to : content-type : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : from; bh=fU7JxXqiok2Ho1MBbSAECqcky3QNCo92mRmc+qEhP9Q=; b=ec6g5LKAd5uSH6Se+wcUmaozGIPiG2Cfi8N60edQ6QOd1PhvL7GxxGQxxck4sEJ7gcgwA MBqW6VScUCGwRBv5SIEweQP6KT9CBV6/0wj8lepLRsoJ5CJB7mGSirZFn74f48NlTJWqV+m MkRlgFJjR+6oTCMMrOeaAuQN38FD1CuxOWCTC4tC4qk9Xst6UMdpliTIJoq3br9fMSVZIUq 0Tu7T6HNshPrZDFfJ/VTEkmxBjD+z5O7T07eOuDDSaueR5zQkgtsZfRD4gkpKtLTUCeNUe9 AqW/Udd2L+SrRpI7J2rT0zJKrn8CY0jR0lcE5fvwVz+q4WovbT6bPfREEgyw== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 11860690DD5; Tue, 6 Jan 2026 04:11:03 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767665452; b=Y8zr6G+UCxaFMTA1P3mTDMM2jasQvpgBoKNWeYfO0FbYxA/tq689XxOO6J/viGJiI14XC yRaDOqRfvtHw0PoeOtRj4TT/mxJgpYmnFfMeJk8rWO/acVrcWmoy3mZRnqlrkS1NgN093VM LSFIq0kJCeXAqxU5AA3Y9y+CxOgTyRqj0SHQqWXZc0sZldLk6U/hRfJsbOnj4V7KqVtsXsz j5UgpvEeCu2j4L6eIiIw7Zriu2qAg2W0zrxA6wyYuZKbxI/xPZKRHFS9Z0Z4kIeXYUllDJ/ LPryzeOU79dq77w8dnSzt2IC+rX8+NG0lcN9dMr/IAisqf22bMzyhRb5zO6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1767665452; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=clojhkDk6qejCF4HJ+7bfW5aDyD5XfJZSisjFdtn5AI=; b=st1RYwZLiP0OOlzV7rG49eTEZo6yMt1IKyP64CbpI8+IntejpaOCg47b18Fefml5uyJWF 1q+ubVR5Rgp6dxX7mwr6ZBMJ7IGEcoYTcauS9MhrbRoqUQgjXz1MOzmfb6+tHRiZUaucOMM BhkZPHW1UzLvNWIwNYbVMTpcdx9zQm9zJ/4pCXkAb7x+LYUFFl67iKfgnVvWYLqVclNqYlq Gd6SZnQTRxxaJI9HI+bWLNJVi7JVqesksc4k7SIMi4rEpvaqKFZfayUU67/sm1dC2uW5nM8 PPyFADCtfNQmJF8JDTsAQy8w1NUtKmFxOo3q+zAYmRYu05yOebfgLZ+kPLNg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=fail header.d=gmail.com; arc=none; dmarc=fail header.from=gmail.com policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=fail header.d=gmail.com; arc=none (Message is not ARC signed); dmarc=fail (Used From Domain Record) header.from=gmail.com policy.dmarc=quarantine Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 0AD6D690A7F for ; Sun, 4 Jan 2026 23:16:28 +0200 (EET) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-78fcb465733so105031887b3.3 for ; Sun, 04 Jan 2026 13:16:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767561387; x=1768166187; darn=ffmpeg.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=pYlx3xm0j+zID/73jJ1+wL/OecZUmRpe63udMDFVX+E=; b=JNo67jf4UqhHuvowu0Bl8CVv5TNGuC/xg9vCJHTUws+r/6poVjQjh/irWtilPml8r4 KknmhItuSxyrt3d0X7CBeaOLsokVSCo81iviEwczkKcVzCB3CGaiexaunCJhdydWfg5f aLNAxGk/tcnuibf8GO5Wws3CfwMK7omd1ffPOWzssa+Fyi+HU01YcktsC3+/KW7Pk9B8 y0/iPJaQgjlx6AT9fdS9xjNFpTBiZjNV+8+HSIdRy45q0sVgcIJihiB3KVCmCo1cQgxU 46M/yU12LdlqW11BDdUF0aokoqhGJoxd6A1bMmdFo/uHJTkzTIYl8mufRrQGUgPH3WNT Ctuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767561387; x=1768166187; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pYlx3xm0j+zID/73jJ1+wL/OecZUmRpe63udMDFVX+E=; b=mPv+YKIUhABEZMf2E5CjJNVkAb6CqXFIz/x0RuQEjBY2XRFxnGhMXWbOFo+GwChKjB gOfMH3sN000YmVDpCe9c3CjpWeYQ3q/eYNrFJz92gqlwpibU5w6VNKKJWOaao0p5f7Ca MepnrDOnBdH/QfUK6Ae5GvwNxk0gSfhboUCNLT0wW2lTa/PPRH7W8B3RNbv6HSB4VT8J 61pARzYPhuCdAAYlb7pFSC4vIDzGeqP9yTOk1fHf7AOYoinT16UHo/X7B4FL81rRY8NU mt7zT5AbWkq1u8b1aNcg+oXwUHXyxuT/ZvYnWIJjIGCtVjhKp5xYz1psAuhrbQWFNGpg n4Dg== X-Gm-Message-State: AOJu0YxuAZeTpF7HnE39+yZMllBrkZgd1GlpnwrDyq9vR71tdRLQ/+33 QU0gguTuZbawwrL53zhTH+t+lctzeKPgZ7BtFS1Y6lsoelPCzpgVlK8ArpoETFHtt5bn4TtCQDK Z3l4r2/WFrwXom0RTVX80+mLKDNBz6snS2f9E X-Gm-Gg: AY/fxX6aX59cUOHjBZ/OAnx7Y/uLhEYmoWKrZQ+9GuO7WQChuZAQ+SMb5HpB7QZmEyK bebjgY0QCRC1G5IA1c3iHonsTr6eiKVOO6o943PReilVRlcbQrXNhtvw0gtMRAF/9gTVvQRmszj VmpxRYADf7U0pXFXLkDvp5vHqf9R3gVL/O+Nnwa8UOrjWEU/Gzy5bwAXq+grt8JoMyzqCcXrjeo cLkVAHOHF05cLyUQYD5Bla5BG+U5vbo6O3lLtj/MzBTuz0s1GY+pUq4hBDholDpjD8Z+E4C5Put 4AyMmLfOP2xD2g2yNRKhsGpDd4C8 X-Google-Smtp-Source: AGHT+IEYZbzljihsGaBzB0C93Ki74gTV7sDXQetdta0eRp0qEfP7D33yR35gCBnA5bZfXy72m/+XHyw3EJm4fCYVBWQ= X-Received: by 2002:a05:690c:c08:b0:78f:c2f3:178 with SMTP id 00721157ae682-78fc2f311c7mr320352347b3.43.1767561386881; Sun, 04 Jan 2026 13:16:26 -0800 (PST) MIME-Version: 1.0 Date: Sun, 4 Jan 2026 22:16:14 +0100 X-Gm-Features: AQt7F2rcL7NqIgW1aNhYHRSctMKDLitVXudStkFUEWe4WlFdazWiU-IdtmedvI8 Message-ID: To: ffmpeg-devel@ffmpeg.org Content-Type: multipart/mixed; boundary="00000000000095c41406479674ce" X-MailFrom: SRS0=drfK=7J=gmail.com=monsterbat02@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation Message-ID-Hash: LFVMSPDIPQHNUZAQQQAHCVUMP6JDJXMU X-Message-ID-Hash: LFVMSPDIPQHNUZAQQQAHCVUMP6JDJXMU X-Mailman-Approved-At: Tue, 06 Jan 2026 02:09:24 +0000 X-Content-Filtered-By: Mailman/MimeDel 3.3.10 X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avformat/hls: fix integer overflow and unbounded memory allocation in intercept_id3 List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Baptiste Bd via ffmpeg-devel Cc: Baptiste Bd Archived-At: List-Archive: List-Post: --00000000000095c41406479674ce Content-Type: text/plain; charset="UTF-8" Hello FFmpeg Developers, I am submitting a patch to fix a security issue in libavformat/hls.c. During a security audit of the HLS demuxer, I identified an Integer Overflow vulnerability in the `intercept_id3` function. The variable `id3_buf_pos` is declared as a signed `int`. In scenarios where a segment contains a continuous stream of ID3 tags (malicious or malformed stream), this variable can overflow. This leads to a negative value being used in memory operations, resulting in a heap buffer overflow in `av_fast_realloc` and `memcpy`. Additionally, there was no limit on the total size of accumulated ID3 data, allowing a malicious stream to trigger an OOM (Out Of Memory) Denial of Service. This patch: 1. Promotes `id3_buf_pos` to `uint64_t` to prevent the integer overflow. 2. Adds a hard limit (100MB) to the accumulated ID3 buffer size to mitigate DoS risks. The patch file is attached. Best regards, 0xBat --- >>From 72ab1c568e3a34cc02f5058088b48ebc45e36044 Mon Sep 17 00:00:00 2001 From: OxBat Date: Sun, 4 Jan 2026 21:13:40 +0100 Subject: [PATCH] avformat/hls: fix integer overflow and unbounded memory allocation in intercept_id3 The variable `id3_buf_pos` was declared as a signed `int`. In a scenario where a segment contains a continuous stream of ID3 tags, this variable could overflow, leading to a negative value. This negative value is subsequently used in `av_fast_realloc` (casting) and `memcpy` (pointer arithmetic), resulting in a heap buffer overflow and potential memory corruption. Additionally, there was no limit on the total size of accumulated ID3 data, allowing a malicious stream to cause an OOM (Out Of Memory) Denial of Service by triggering massive allocations. This patch: 1. Changes `id3_buf_pos` to `uint64_t` to prevent integer overflow. 2. Adds a hard limit (100MB) to the accumulated ID3 buffer size. Signed-off-by: 0xBat Signed-off-by: OxBat --- libavformat/hls.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index dabfaae5bc..6a215e8193 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1248,7 +1248,7 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, /* intercept id3 tags, we do not want to pass them to the raw * demuxer on all segment switches */ int bytes; - int id3_buf_pos = 0; + uint64_t id3_buf_pos = 0; int fill_buf = 0; struct segment *seg = current_segment(pls); @@ -1287,6 +1287,11 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, taglen, maxsize); break; } + /* Sanity check to prevent OOM or overflow with infinite ID3 streams */ + if (id3_buf_pos + taglen > 100 * 1024 * 1024) { + av_log(pls->parent, AV_LOG_ERROR, "ID3 data accumulation exceeded 100MB limit, aborting to prevent DoS\n"); + break; + } /* * Copy the id3 tag to our temporary id3 buffer. -- 2.52.0.windows.1 --00000000000095c41406479674ce Content-Type: application/octet-stream; name="0001-avformat-hls-fix-integer-overflow-and-unbounded-memo.patch" Content-Disposition: attachment; filename="0001-avformat-hls-fix-integer-overflow-and-unbounded-memo.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mk08dg7u0 RnJvbSA3MmFiMWM1NjhlM2EzNGNjMDJmNTA1ODA4OGI0OGViYzQ1ZTM2MDQ0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBPeEJhdCA8bW9uc3RlcmJhdDAyQGdtYWlsLmNvbT4KRGF0ZTog U3VuLCA0IEphbiAyMDI2IDIxOjEzOjQwICswMTAwClN1YmplY3Q6IFtQQVRDSF0gYXZmb3JtYXQv aGxzOiBmaXggaW50ZWdlciBvdmVyZmxvdyBhbmQgdW5ib3VuZGVkIG1lbW9yeQogYWxsb2NhdGlv biBpbiBpbnRlcmNlcHRfaWQzCgpUaGUgdmFyaWFibGUgYGlkM19idWZfcG9zYCB3YXMgZGVjbGFy ZWQgYXMgYSBzaWduZWQgYGludGAuIEluIGEgc2NlbmFyaW8Kd2hlcmUgYSBzZWdtZW50IGNvbnRh aW5zIGEgY29udGludW91cyBzdHJlYW0gb2YgSUQzIHRhZ3MsIHRoaXMgdmFyaWFibGUKY291bGQg b3ZlcmZsb3csIGxlYWRpbmcgdG8gYSBuZWdhdGl2ZSB2YWx1ZS4KClRoaXMgbmVnYXRpdmUgdmFs dWUgaXMgc3Vic2VxdWVudGx5IHVzZWQgaW4gYGF2X2Zhc3RfcmVhbGxvY2AgKGNhc3RpbmcpCmFu ZCBgbWVtY3B5YCAocG9pbnRlciBhcml0aG1ldGljKSwgcmVzdWx0aW5nIGluIGEgaGVhcCBidWZm ZXIgb3ZlcmZsb3cKYW5kIHBvdGVudGlhbCBtZW1vcnkgY29ycnVwdGlvbi4KCkFkZGl0aW9uYWxs eSwgdGhlcmUgd2FzIG5vIGxpbWl0IG9uIHRoZSB0b3RhbCBzaXplIG9mIGFjY3VtdWxhdGVkIElE MyBkYXRhLAphbGxvd2luZyBhIG1hbGljaW91cyBzdHJlYW0gdG8gY2F1c2UgYW4gT09NIChPdXQg T2YgTWVtb3J5KSBEZW5pYWwgb2YgU2VydmljZQpieSB0cmlnZ2VyaW5nIG1hc3NpdmUgYWxsb2Nh dGlvbnMuCgpUaGlzIHBhdGNoOgoxLiBDaGFuZ2VzIGBpZDNfYnVmX3Bvc2AgdG8gYHVpbnQ2NF90 YCB0byBwcmV2ZW50IGludGVnZXIgb3ZlcmZsb3cuCjIuIEFkZHMgYSBoYXJkIGxpbWl0ICgxMDBN QikgdG8gdGhlIGFjY3VtdWxhdGVkIElEMyBidWZmZXIgc2l6ZS4KClNpZ25lZC1vZmYtYnk6IDB4 QmF0IDxtb25zdGVyYmF0MDJAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBPeEJhdCA8bW9uc3Rl cmJhdDAyQGdtYWlsLmNvbT4KLS0tCiBsaWJhdmZvcm1hdC9obHMuYyB8IDcgKysrKysrLQogMSBm aWxlIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBh L2xpYmF2Zm9ybWF0L2hscy5jIGIvbGliYXZmb3JtYXQvaGxzLmMKaW5kZXggZGFiZmFhZTViYy4u NmEyMTVlODE5MyAxMDA2NDQKLS0tIGEvbGliYXZmb3JtYXQvaGxzLmMKKysrIGIvbGliYXZmb3Jt YXQvaGxzLmMKQEAgLTEyNDgsNyArMTI0OCw3IEBAIHN0YXRpYyB2b2lkIGludGVyY2VwdF9pZDMo c3RydWN0IHBsYXlsaXN0ICpwbHMsIHVpbnQ4X3QgKmJ1ZiwKICAgICAvKiBpbnRlcmNlcHQgaWQz IHRhZ3MsIHdlIGRvIG5vdCB3YW50IHRvIHBhc3MgdGhlbSB0byB0aGUgcmF3CiAgICAgICogZGVt dXhlciBvbiBhbGwgc2VnbWVudCBzd2l0Y2hlcyAqLwogICAgIGludCBieXRlczsKLSAgICBpbnQg aWQzX2J1Zl9wb3MgPSAwOworICAgIHVpbnQ2NF90IGlkM19idWZfcG9zID0gMDsKICAgICBpbnQg ZmlsbF9idWYgPSAwOwogICAgIHN0cnVjdCBzZWdtZW50ICpzZWcgPSBjdXJyZW50X3NlZ21lbnQo cGxzKTsKIApAQCAtMTI4Nyw2ICsxMjg3LDExIEBAIHN0YXRpYyB2b2lkIGludGVyY2VwdF9pZDMo c3RydWN0IHBsYXlsaXN0ICpwbHMsIHVpbnQ4X3QgKmJ1ZiwKICAgICAgICAgICAgICAgICAgICAg ICAgdGFnbGVuLCBtYXhzaXplKTsKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAg IH0KKyAgICAgICAgICAgIC8qIFNhbml0eSBjaGVjayB0byBwcmV2ZW50IE9PTSBvciBvdmVyZmxv dyB3aXRoIGluZmluaXRlIElEMyBzdHJlYW1zICovCisgICAgICAgICAgICBpZiAoaWQzX2J1Zl9w b3MgKyB0YWdsZW4gPiAxMDAgKiAxMDI0ICogMTAyNCkgeworICAgICAgICAgICAgICAgIGF2X2xv ZyhwbHMtPnBhcmVudCwgQVZfTE9HX0VSUk9SLCAiSUQzIGRhdGEgYWNjdW11bGF0aW9uIGV4Y2Vl ZGVkIDEwME1CIGxpbWl0LCBhYm9ydGluZyB0byBwcmV2ZW50IERvU1xuIik7CisgICAgICAgICAg ICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CiAKICAgICAgICAgICAgIC8qCiAgICAgICAgICAg ICAgKiBDb3B5IHRoZSBpZDMgdGFnIHRvIG91ciB0ZW1wb3JhcnkgaWQzIGJ1ZmZlci4KLS0gCjIu NTIuMC53aW5kb3dzLjEKCg== --00000000000095c41406479674ce Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org --00000000000095c41406479674ce--