From patchwork Sun Mar 17 02:36:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Kacper_Michaj=C5=82ow?= X-Patchwork-Id: 47123 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:958e:b0:1a3:31a3:7958 with SMTP id iu14csp307288pzb; Sat, 16 Mar 2024 19:36:57 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVrupEd9TEmtGCvHmWvcH663v/uUUCeB8MJEROcF6FJNCYf4qrRWfBp6G9gP/F7hFT0JoacEYPnfX0FUOwj4WW3DkO11jzJRTG84A== X-Google-Smtp-Source: AGHT+IGsyRJQ1hR4FbviYuSapbSfqo57YMul8WYUefUf2Fo84hOegdx8RRQYhsFCg8lWwBY+/hZL X-Received: by 2002:adf:f28f:0:b0:33e:7132:7994 with SMTP id k15-20020adff28f000000b0033e71327994mr5407160wro.2.1710643017599; Sat, 16 Mar 2024 19:36:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710643017; cv=none; d=google.com; s=arc-20160816; b=D8ZSFJNVn30N2ZRH10qN6sHAgwFcpnJFaKcXFPHho8OvXUGbYAbocVTTxi1auVevW9 mtrk6Sb/Z53pc/IPPKWXOEvFbiWq7FmxePkvzKL2KsK1piwsVSuBMzKm1LRryQ12JYp8 I/X+B93x9DOGx639T8tK6EZnkS5JlmT8wHPTzJoov7bk4RR/uD7HmqZmPAuexG4mnD6w 9NQY6gJNKTUURn7FkfMhXb79Km03MRHIO0n0/Yfhf7A783iv9gCz4+hd45+wUfUpqNjQ 6VGsvtFCowz8zTP5DDAEqIg8VCkTqos/667DH/Ou/v/3tSVU98ffECvwlZX8rKrGs2Y/ s72w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=jNLgZKCnL6kbhRVFH7sCu7zpFgY91Z1oMDPE108Sx14=; fh=VehHF75ibtIiOcMFupA+RvAd8F/HWiWMZFlcjyRnn54=; b=t5z6iTr1oEjRIq3/wopyco8JQ8iYma+EsIB1vKXbOqHY4uJqhYMvhvi6bpEP+ECaDQ Wm60nqKpkY69sYH286BfNuVLJxPx++y5ie625336nFqdUDr1teyuzm7wudkXB6n2jDOq l02MCH5msQp8yDfaoEdWCn/js6XK4Hthn+2xaGpNoFsDsPOm/TaqcFhtsUWtB2ApubLX YoiRKz9kffuro6OzVci0siKw4I/eiQ9uD+uy02PKtjUQV3eP0+ERVoHLY1kW3aAl9gEA Phnw2r3zG/whNOyphE8u/lyxSG9cLDtSxp2kGp9LmlFn4zqqADTp/rLNk0vrS5Q20c5A LfpA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=FXx0bhcG; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id kb1-20020a1709070f8100b00a469608d95fsi1476907ejc.504.2024.03.16.19.36.57; Sat, 16 Mar 2024 19:36:57 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=FXx0bhcG; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 48B1D68D014; Sun, 17 Mar 2024 04:36:54 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A547668D050 for ; Sun, 17 Mar 2024 04:36:47 +0200 (EET) Received: by mail-ej1-f53.google.com with SMTP id a640c23a62f3a-a468226e135so225301866b.0 for ; Sat, 16 Mar 2024 19:36:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710643006; x=1711247806; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LbNRinWfWJDchW+yz0eDOE+DIRqEzOv3Zq2OFtPcqOY=; b=FXx0bhcGlon1U239t2Sj1SWVPVaUFAjLKxYFdJAbWl8jKpbQBIVDEy8rM555ywtn0d apCTHORMKdr1EYZ+0QaKkwM1SzFZBkUJ0DE+SyRoBnDSIhGLkZ2tkdCpl7Np20pZzkzo 2iWGTSEQ6hTV5cO+V37Qaj+NvZMDw2TJLdsN080OWRoE5FOAz1+aFJae1R1+Ps9iueh3 Sj2dIBsIEbalJOGhcJC3rcxNqc650y3ovFGl7Fu5wWHOCODmwzQpbCfpwyFRw5lwWKk/ uJVJGFqP2eZHsxUH2vmJwEGnRCetmjSa3hIye89qgSZ1EFpvASkd47OfuNoxelH1CoCD dvvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710643006; x=1711247806; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LbNRinWfWJDchW+yz0eDOE+DIRqEzOv3Zq2OFtPcqOY=; b=R+kJKiQNSdko3yLyqfU8IVy3kLj5XfjEELRStBXVoEsgj10sZFo8VukW+6oSKtJDOs 3yOhBS+3g/xrn7BXGp5P9/hEwdsnnr58iM+hX2+ubZrfQrfHDtFSe1KCTMIV/Wc9lpXO 6sOqsn6maGKm9lAlAwxXSs52x/wtc5VJgzICOngydlfAu/2URYZIOuxjnv3S/NXLUMMY vlNuGLxu6GSqKxmhPnnv44n2EA7GsGFxd25goN35IORY/NdCcmWishuC4KM+z8ZxEsNR lcC+WJ/pEKjx19Apaj/+HpsSq6lEDNdP7yDzAVmZxEUcQP38QZq5WFFkzT7xNzD7WSYM QUYA== X-Gm-Message-State: AOJu0YxVi/n6kfxnkE78Q+H2VIVqmPcl+JbpqGpkvwOrDucjKwNwUGie KAcmoDTBEJ17UZv8Uqna4SsolGSrW9WNzoNoG4BQUvyzshjtx0nCh3RJB5wf X-Received: by 2002:a17:906:355a:b0:a46:9671:b461 with SMTP id s26-20020a170906355a00b00a469671b461mr2922704eja.61.1710643006465; Sat, 16 Mar 2024 19:36:46 -0700 (PDT) Received: from localhost.localdomain (89-74-109-154.dynamic.chello.pl. [89.74.109.154]) by smtp.gmail.com with ESMTPSA id rf22-20020a1709076a1600b00a450b817705sm3332387ejc.154.2024.03.16.19.36.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 16 Mar 2024 19:36:46 -0700 (PDT) From: =?utf-8?q?Kacper_Michaj=C5=82ow?= To: ffmpeg-devel@ffmpeg.org Date: Sun, 17 Mar 2024 03:36:16 +0100 Message-ID: <20240317023628.1936-1-kasper93@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/hls: update current segment reference before use X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: =?utf-8?q?Kacper_Michaj=C5=82ow?= Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: BfrBNGAKgC3I It may be invalidated by the time it is used. Fixes use after free when accessing current segment. Fixes: #10825 --- libavformat/hls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index f6b44c2e35..94bc6bc064 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2098,6 +2098,7 @@ static int hls_read_header(AVFormatContext *s) * If encryption scheme is SAMPLE-AES and audio setup information is present in external audio track, * use that information to find the media format, otherwise probe input data */ + seg = current_segment(pls); if (seg && seg->key_type == KEY_SAMPLE_AES && pls->is_id3_timestamped && pls->audio_setup_info.codec_id != AV_CODEC_ID_NONE) { void *iter = NULL; @@ -2124,6 +2125,7 @@ static int hls_read_header(AVFormatContext *s) av_free(url); } + seg = current_segment(pls); if (seg && seg->key_type == KEY_SAMPLE_AES) { if (strstr(in_fmt->name, "mov")) { char key[33]; @@ -2170,6 +2172,7 @@ static int hls_read_header(AVFormatContext *s) * on us if they want to. */ if (pls->is_id3_timestamped || (pls->n_renditions > 0 && pls->renditions[0]->type == AVMEDIA_TYPE_AUDIO)) { + seg = current_segment(pls); if (seg && seg->key_type == KEY_SAMPLE_AES && pls->audio_setup_info.setup_data_length > 0 && pls->ctx->nb_streams == 1) ret = ff_hls_senc_parse_audio_setup_info(pls->ctx->streams[0], &pls->audio_setup_info);