Hi all On Thu, Jan 16, 2025 at 02:23:07PM +0100, Michael Niedermayer wrote: > This blocks disallowed extensions from probing > It also requires all available segments to have matching extensions to the > format > > It is recommended to set the whitelists correctly > instead of depending on extensions, but this should help a bit, > and this is easier to backport > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > The other parts of CVE-2023-6602 have been fixed by prior commits > > Found-by: Harvey Phillips of Amazon Element55 (element55) > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavformat/hls.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 48 insertions(+)
If someone has a testcase that after playback starts, adds cases to the list, please test that. I have no testcase for that and thus did not test if the newly added tests behave correctly for that. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Asymptotically faster algorithms should always be preferred if you have asymptotical amounts of data
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
