PR #23576 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23576 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23576.patch
avformat/hls: Avoid infinite loop with self-referencing variant playlist avformat/hls_sample_encryption: Validate ADTS frame length against packet >From 73b695905a9482c9133db137245e5e4308509bb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 23 Jun 2026 04:15:24 +0200 Subject: [PATCH 1/2] avformat/hls_sample_encryption: Validate ADTS frame length against packet Fixes: out of array access Fixes: playlist.m3u8 / make_poc.py Fixes: rJ50u41V7ctk Fixes: ff958b3846 (libavformat/hls: add support for decryption of HLS media segments encrypted using SAMPLE-AES encryption method) Found-by: Clouditera Security Research Team <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls_sample_encryption.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/hls_sample_encryption.c b/libavformat/hls_sample_encryption.c index 26de098dda..c41de3143b 100644 --- a/libavformat/hls_sample_encryption.c +++ b/libavformat/hls_sample_encryption.c @@ -374,6 +374,13 @@ static int decrypt_audio_frame(enum AVCodecID codec_id, HLSCryptoContext *crypto ret = get_next_sync_frame(codec_id, &ctx, &frame); if (ret < 0) return ret; + if (frame.length < frame.header_length || + frame.length > ctx.buf_end - frame.data) { + av_log(NULL, AV_LOG_ERROR, + "Sample-AES: declared frame length %d exceeds packet data\n", + frame.length); + return AVERROR_INVALIDDATA; + } if (frame.length - frame.header_length > 31) { ret = decrypt_sync_frame(codec_id, crypto_ctx, &frame); if (ret < 0) -- 2.52.0 >From 671ffcc80badfbacd73fd0a3000fb5c871cebd2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 23 Jun 2026 04:15:24 +0200 Subject: [PATCH 2/2] avformat/hls: Avoid infinite loop with self-referencing variant playlist Fixes: recursion.m3u8 Fixes: cEy2cxyyPaLH Fixes: cd223e0b4e (Add Apple HTTP Live Streaming demuxer) Found-by: BapToutatis Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 4c56b954bb..11c3812b30 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2218,7 +2218,9 @@ static int hls_read_header(AVFormatContext *s) /* If the playlist only contained playlists (Master Playlist), * parse each individual playlist. */ if (c->n_playlists > 1 || c->playlists[0]->n_segments == 0) { - for (i = 0; i < c->n_playlists; i++) { + /* Only parse the playlists discovered by the initial master-playlist */ + int nb_playlists = c->n_playlists; + for (i = 0; i < nb_playlists; i++) { struct playlist *pls = c->playlists[i]; pls->m3u8_hold_counters = 0; if ((ret = parse_playlist(c, pls->url, pls, NULL)) < 0) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
