This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 976490dcc3 avformat/hls_sample_encryption: Validate ADTS frame length
against packet
976490dcc3 is described below
commit 976490dcc3dbe0684851c30eff88a85d4d386d1a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Jun 23 04:15:24 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Mon Jul 6 00:16:18 2026 +0000
avformat/hls_sample_encryption: Validate ADTS frame length against packet
Fixes: out of array access
Fixes: playlist.m3u8 / make_poc.py
Fixes: rJ50u41V7ctk
Fixes: ff958b3846 (libavformat/hls: add support for decryption of HLS media
segments encrypted using SAMPLE-AES encryption method)
Found-by: Clouditera Security Research Team <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavformat/hls_sample_encryption.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/hls_sample_encryption.c
b/libavformat/hls_sample_encryption.c
index 26de098dda..c41de3143b 100644
--- a/libavformat/hls_sample_encryption.c
+++ b/libavformat/hls_sample_encryption.c
@@ -374,6 +374,13 @@ static int decrypt_audio_frame(enum AVCodecID codec_id,
HLSCryptoContext *crypto
ret = get_next_sync_frame(codec_id, &ctx, &frame);
if (ret < 0)
return ret;
+ if (frame.length < frame.header_length ||
+ frame.length > ctx.buf_end - frame.data) {
+ av_log(NULL, AV_LOG_ERROR,
+ "Sample-AES: declared frame length %d exceeds packet
data\n",
+ frame.length);
+ return AVERROR_INVALIDDATA;
+ }
if (frame.length - frame.header_length > 31) {
ret = decrypt_sync_frame(codec_id, crypto_ctx, &frame);
if (ret < 0)
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]