Re: [FFmpeg-devel] [PATCH 3/3] avformat/hls: Be more picky on extensions

Thu, 16 Jan 2025 03:46:23 -0800 

On Thu, Jan 16, 2025 at 04:39:51AM +0100, Michael Niedermayer wrote:
> This blocks disallowed extensions from probing
> It also requires segments to have matching extensions to the format
> 
> It is recommended to set the whitelists correctly
> instead of depending on extensions, but this should help a bit,
> and this is easier to backport
> 
> Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
> Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
> 
> The other parts of CVE-2023-6602 have been fixed by prior commits
> 
> Found-by: Harvey Phillips of Amazon Element55 (element55)
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
>  libavformat/hls.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/libavformat/hls.c b/libavformat/hls.c
> index 045741c3b4e..a802eafc3fe 100644
> --- a/libavformat/hls.c
> +++ b/libavformat/hls.c
> @@ -223,6 +223,7 @@ typedef struct HLSContext {
>      AVDictionary *avio_opts;
>      AVDictionary *seg_format_opts;
>      char *allowed_extensions;
> +    int extension_picky;
>      int max_reload;
>      int http_persistent;
>      int http_multiple;
> @@ -2114,6 +2115,24 @@ static int hls_read_header(AVFormatContext *s)
>              pls->ctx->interrupt_callback = s->interrupt_callback;
>              url = av_strdup(pls->segments[0]->url);
>              ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 
> 0);
> +            if (c->extension_picky && ret >= 0) {
> +                for (int n = 0; n < pls->n_segments; n++) {
> +                    struct segment *seg = pls->segments[n];
> +                    if ( strcmp(c->allowed_extensions, "ALL") &&
> +                        !av_match_ext    (seg->url, c->allowed_extensions) &&
> +                        !ff_match_url_ext(seg->url, c->allowed_extensions)) {
> +                        av_log(s, AV_LOG_ERROR, "URL %s is not in 
> allowed_extensions\n", seg->url);
> +                        ret = AVERROR_INVALIDDATA;
> +                    }
> +
> +                    if (!in_fmt->extensions ||
> +                        !av_match_ext(    seg->url, in_fmt->extensions) &&
> +                        !ff_match_url_ext(seg->url, in_fmt->extensions)) {
> +                        av_log(s, AV_LOG_ERROR, "detected format extension 
> %s mismatches url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", 
> seg->url);
> +                        ret = AVERROR_INVALIDDATA;
> +                    }
> +                }
> +            }

this has a bug (you can have 2 extensions in a URL one on allowed and the other
in the format), ill post a better version later

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to