FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.


III. HLS EXT-X-MAP Null Dereference
Affected Versions: 3.0 → 5.0 (commit)


Suggested CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary
An instance of FFmpeg that does not enforce an input format can be provided an incorrectly formatted HLS playlist which triggers a null pointer dereference leading to a segfault.


Impact
A maliciously crafted input file can reliably crash FFmpeg, possibly leading to a denial of service.


Description
When parsing an HLS playlist, FFmpeg prior to version 5.0 will not check the return value of new_init_section(). When this function encounters an error, it returns NULL, leading to a null pointer deference when members cur_init_section are accessed.


Reproduction
Example Input (input.mp4):


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-MAP:URI="
data://test/plain;base64,QUFBQQo=.m3u8
#EXT-X-ENDLIST


Trigger with ffmpeg -i input.mp4 output.mp4. FFmpeg will crash with a segmentation fault (core dumped) message on Linux.


Remediation
The return value of new_init_section() is checked by this commit.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6603
https://bugzilla.redhat.com/show_bug.cgi?id=2253172