On Thu, Jan 16, 2025 at 02:37:39PM +0100, Michael Niedermayer wrote: > Hi all > > On Thu, Jan 16, 2025 at 02:23:07PM +0100, Michael Niedermayer wrote: > > This blocks disallowed extensions from probing > > It also requires all available segments to have matching extensions to the > > format > > > > It is recommended to set the whitelists correctly > > instead of depending on extensions, but this should help a bit, > > and this is easier to backport > > > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > > > The other parts of CVE-2023-6602 have been fixed by prior commits > > > > Found-by: Harvey Phillips of Amazon Element55 (element55) > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavformat/hls.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 48 insertions(+) > > If someone has a testcase that after playback starts, adds cases to the > list, please test that. I have no testcase for that and thus did not > test if the newly added tests behave correctly for that.
noone cares, ok, cant just leave security fixes unapplied
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Old school: Use the lowest level language in which you can solve the problem
conveniently.
New school: Use the highest level language in which the latest supercomputer
can solve the problem without the user falling asleep waiting.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
