PR #22497 opened by npc URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22497 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22497.patch
new_pes_packet() moves a buffer with pkt->buf = pes->buffer before JPEG-XS validation. If header_size > pkt->size, an early return leaves pes->buffer as a stale alias of pkt->buf with refcount 1. Later, mpegts_read_packet() calls av_packet_unref(), freeing the buffer through pkt->buf. The flush loop then re-enters new_pes_packet() and dereferences the dangling pes->buffer; a second path hits it via av_buffer_unref() in handle_packets() after a seek. Commit the buffer move and clear data_index before the early return, same as the success path. Fixes: use after free Fixes regression since 16f89d342e. Found-by: Nicholas Carlini <[email protected]> >From 91068d910598c343511ed80fa37c989ef63f95e3 Mon Sep 17 00:00:00 2001 From: Nicholas Carlini <[email protected]> Date: Fri, 13 Mar 2026 21:56:54 +0000 Subject: [PATCH] avformat/mpegts: reset PES state before JPEG-XS error return new_pes_packet() moves a buffer with pkt->buf = pes->buffer before JPEG-XS validation. If header_size > pkt->size, an early return leaves pes->buffer as a stale alias of pkt->buf with refcount 1. Later, mpegts_read_packet() calls av_packet_unref(), freeing the buffer through pkt->buf. The flush loop then re-enters new_pes_packet() and dereferences the dangling pes->buffer; a second path hits it via av_buffer_unref() in handle_packets() after a seek. Commit the buffer move and clear data_index before the early return, same as the success path. Fixes: use after free Fixes regression since 16f89d342e. Found-by: Nicholas Carlini <[email protected]> --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 0ee10f9a77..43b983660f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1040,7 +1040,8 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt) av_log(pes->stream, AV_LOG_WARNING, "Invalid JPEG-XS header size %"PRIu32" > packet size %d\n", header_size, pkt->size); - pes->flags |= AV_PKT_FLAG_CORRUPT; + pes->buffer = NULL; + reset_pes_packet_state(pes); return AVERROR_INVALIDDATA; } pkt->data += header_size; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
