Hello FFmpeg Developers, I am submitting a patch to fix a security issue in libavformat/hls.c.
During a security audit of the HLS demuxer, I identified an Integer Overflow vulnerability in the `intercept_id3` function. The variable `id3_buf_pos` is declared as a signed `int`. In scenarios where a segment contains a continuous stream of ID3 tags (malicious or malformed stream), this variable can overflow. This leads to a negative value being used in memory operations, resulting in a heap buffer overflow in `av_fast_realloc` and `memcpy`. Additionally, there was no limit on the total size of accumulated ID3 data, allowing a malicious stream to trigger an OOM (Out Of Memory) Denial of Service. This patch: 1. Promotes `id3_buf_pos` to `uint64_t` to prevent the integer overflow. 2. Adds a hard limit (100MB) to the accumulated ID3 buffer size to mitigate DoS risks. The patch file is attached. Best regards, 0xBat --- >From 72ab1c568e3a34cc02f5058088b48ebc45e36044 Mon Sep 17 00:00:00 2001 From: OxBat <[email protected]> Date: Sun, 4 Jan 2026 21:13:40 +0100 Subject: [PATCH] avformat/hls: fix integer overflow and unbounded memory allocation in intercept_id3 The variable `id3_buf_pos` was declared as a signed `int`. In a scenario where a segment contains a continuous stream of ID3 tags, this variable could overflow, leading to a negative value. This negative value is subsequently used in `av_fast_realloc` (casting) and `memcpy` (pointer arithmetic), resulting in a heap buffer overflow and potential memory corruption. Additionally, there was no limit on the total size of accumulated ID3 data, allowing a malicious stream to cause an OOM (Out Of Memory) Denial of Service by triggering massive allocations. This patch: 1. Changes `id3_buf_pos` to `uint64_t` to prevent integer overflow. 2. Adds a hard limit (100MB) to the accumulated ID3 buffer size. Signed-off-by: 0xBat <[email protected]> Signed-off-by: OxBat <[email protected]> --- libavformat/hls.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index dabfaae5bc..6a215e8193 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1248,7 +1248,7 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, /* intercept id3 tags, we do not want to pass them to the raw * demuxer on all segment switches */ int bytes; - int id3_buf_pos = 0; + uint64_t id3_buf_pos = 0; int fill_buf = 0; struct segment *seg = current_segment(pls); @@ -1287,6 +1287,11 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, taglen, maxsize); break; } + /* Sanity check to prevent OOM or overflow with infinite ID3 streams */ + if (id3_buf_pos + taglen > 100 * 1024 * 1024) { + av_log(pls->parent, AV_LOG_ERROR, "ID3 data accumulation exceeded 100MB limit, aborting to prevent DoS\n"); + break; + } /* * Copy the id3 tag to our temporary id3 buffer. -- 2.52.0.windows.1
0001-avformat-hls-fix-integer-overflow-and-unbounded-memo.patch
Description: Binary data
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
