On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote: > This blocks disallowed extensions from probing > It also requires all available segments to have matching extensions to the > format > mpegts is treated independent of the extension > > It is recommended to set the whitelists correctly > instead of depending on extensions, but this should help a bit, > and this is easier to backport > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > The other parts of CVE-2023-6602 have been fixed by prior commits > > Found-by: Harvey Phillips of Amazon Element55 (element55) > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > doc/demuxers.texi | 7 +++++++ > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 57 insertions(+)
I intend to apply this patchset soon so it receives some testing before 7.1.1 [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When the tyrant has disposed of foreign enemies by conquest or treaty, and there is nothing more to fear from them, then he is always stirring up some war or other, in order that the people may require a leader. -- Plato
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
