Bug 1220547 (CVE-2023-6603)

Summary: VUL-0: CVE-2023-6603: ffmpeg,ffmpeg-4: HLS EXT-X-MAP Null Dereference
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gnome-bugs, stoyan.manolov, thomas.leroy
Version: unspecifiedFlags: stoyan.manolov: needinfo? (gnome-bugs)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395218/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6603:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-28 11:02:33 UTC 
FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.


III. HLS EXT-X-MAP Null Dereference
Affected Versions: 3.0 → 5.0 (commit)


Suggested CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary
An instance of FFmpeg that does not enforce an input format can be provided an incorrectly formatted HLS playlist which triggers a null pointer dereference leading to a segfault.


Impact
A maliciously crafted input file can reliably crash FFmpeg, possibly leading to a denial of service.


Description
When parsing an HLS playlist, FFmpeg prior to version 5.0 will not check the return value of new_init_section(). When this function encounters an error, it returns NULL, leading to a null pointer deference when members cur_init_section are accessed.


Reproduction
Example Input (input.mp4):


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-MAP:URI="
data://test/plain;base64,QUFBQQo=.m3u8
#EXT-X-ENDLIST


Trigger with ffmpeg -i input.mp4 output.mp4. FFmpeg will crash with a segmentation fault (core dumped) message on Linux.


Remediation
The return value of new_init_section() is checked by this commit.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6603
https://bugzilla.redhat.com/show_bug.cgi?id=2253172