
Full Disclosure mailing list archives
FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c)
From: Ron E <ronaldjedgerson () gmail com>
Date: Sun, 7 Sep 2025 01:31:45 -0400
Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS demuxer handles segment references. ASan reports access to freed memory inside libavformat/utils.c:528. A crafted .m3u8 could allow remote attackers to achieve denial of service (DoS), information disclosure, or potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0) *Impact:* - Remote attackers can crash the transcoder with a malicious playlist. - Under certain heap layouts, this may be exploitable for arbitrary code execution. *Proof of Concept:* #EXTM3U #EXTINF:10, dummy.ts UBSAN_OPTIONS=print_stacktrace=1 ASAN_OPTIONS=abort_on_error=1 ./ffmpeg -i malicious.m3u8 -c copy out.mp4 ERROR: AddressSanitizer: heap-use-after-free on address 0x5080000000c8 READ of size 4 freed by thread T0 here: free() previously allocated by thread T0 here: posix_memalign() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c) Ron E (Sep 08)