FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parseplaylist in libavformat/hls.c frees a pointer, and later that pointer is accessed in avprobeinputformat3 in libavformat/format.c.
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"158144811077034995109933837677768601857",
"281751093908803107971940014393508807726",
"240764462031438200492845385032705040109",
"15703913043383878175200160282698241320",
"138080608107875226115977774548120949879",
"259048102838479733394805058517030239279",
"17084527969274049166290416022132557131",
"269990059958938381327368365588722984632"
]
},
"target": {
"file": "libavformat/hls.c"
},
"signature_type": "Line",
"deprecated": false,
"source": "https://github.com/ffmpeg/ffmpeg/commit/6959358683c7533f586c07a766acc5fe9544d8b2",
"signature_version": "v1",
"id": "CVE-2020-13904-2b8821e2"
},
{
"digest": {
"function_hash": "45061495392761575669141487341416533816",
"length": 4983.0
},
"target": {
"function": "parse_playlist",
"file": "libavformat/hls.c"
},
"signature_type": "Function",
"deprecated": false,
"source": "https://github.com/ffmpeg/ffmpeg/commit/6959358683c7533f586c07a766acc5fe9544d8b2",
"signature_version": "v1",
"id": "CVE-2020-13904-f5815e55"
}
]