PR #21279 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21279 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21279.patch
>From 15aac980e8ed30cf04e1804ae0db66200207214c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 22 Dec 2025 23:59:53 +0100 Subject: [PATCH 1/2] avformat/hls: Check seg size and offset for overflow Fixes: integer overflow Fixes: signed integer overflow: 9223372036854775807 + 2039324394 cannot be represented in type 'int64_t' (aka 'long') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 22ee1c6872..11d3050b20 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -975,6 +975,10 @@ static int parse_playlist(HLSContext *c, const char *url, ptr = strchr(ptr, '@'); if (ptr) seg_offset = strtoll(ptr+1, NULL, 10); + if (seg_size < 0 || seg_offset > INT64_MAX - seg_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } else if (av_strstart(line, "#", NULL)) { av_log(c->ctx, AV_LOG_VERBOSE, "Skip ('%s')\n", line); continue; -- 2.49.1 >From 75b5ca736df05b35be1eb30a1ae3ca99e6f15bea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 23 Dec 2025 00:09:05 +0100 Subject: [PATCH 2/2] avformat/hls: Fix arguments of handle_rendition_args() Fixes: call to function handle_rendition_args through pointer to incorrect function type 'void (*)(void *, const char *, int, char **, int *)' Fixes: 464965411/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-4790164406992896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/hls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 11d3050b20..bc5494e42d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -574,9 +574,11 @@ static struct rendition *new_rendition(HLSContext *c, struct rendition_info *inf return rend; } -static void handle_rendition_args(struct rendition_info *info, const char *key, +static void handle_rendition_args(void *vinfo, const char *key, int key_len, char **dest, int *dest_len) { + struct rendition_info *info = vinfo; + if (!strncmp(key, "TYPE=", key_len)) { *dest = info->type; *dest_len = sizeof(info->type); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
