Re: [FFmpeg-devel] [PATCH 1/3] avformat/dashdec: fail on probing non mpd file extension

Mon, 08 May 2023 07:06:05 -0700 

On 08/05/2023 14:00, James Almer wrote:


On 5/6/2023 10:25 AM, Michael Niedermayer wrote:
Its unexpected that a .avi or other "standard" file turns into a playlist. 
The goal of this patch is to avoid this unexpected behavior and possible
privacy or security differences.

This is similar to the same change to hls

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
  libavformat/dashdec.c | 11 +++++++----
  1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index 29d4680c68..294e14150d 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -2336,10 +2336,13 @@ static int dash_probe(const AVProbeData *p)
          av_stristr(p->buf, "dash:profile:isoff-live:2011") ||
          av_stristr(p->buf, "dash:profile:isoff-live:2012") ||
          av_stristr(p->buf, "dash:profile:isoff-main:2011") ||
-        av_stristr(p->buf, "3GPP:PSS:profile:DASH1")) {
-        return AVPROBE_SCORE_MAX;
-    }
-    if (av_stristr(p->buf, "dash:profile")) {
+        av_stristr(p->buf, "3GPP:PSS:profile:DASH1") ||
+        av_stristr(p->buf, "dash:profile")) {
+        if (!av_match_ext(p->filename, "mpd")) {
+            av_log(NULL, AV_LOG_ERROR, "Not detecting dash with non standard extension\n"); 
+            return 0;
+        }
+
          return AVPROBE_SCORE_MAX;
      }
Failing because it didn't match an extensions sort of goes against the point of probing, which even has a low score return value that's basically "it matched extension" as a sort of last resort.
I'd say wrap this in a FF_COMPLIANCE_STRICT check (since i assume the spec does state mpd must be the extension), but i think we have no access to the AVFormatContext here?
DASH is usually transferred over HTTP where file extensions are of minor interest, the relevant type information is in the Mime-Type header.
I think we already have the "format_whitelist" API for applications that want to restrict the list of formats when loading a file from untrusted sources? 

Regards, Tobias

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to