On Thu, Jan 23, 2025 at 10:27:47PM +0100, Michael Niedermayer wrote: > On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote: > > This blocks disallowed extensions from probing > > It also requires all available segments to have matching extensions to the > > format > > mpegts is treated independent of the extension > > > > It is recommended to set the whitelists correctly > > instead of depending on extensions, but this should help a bit, > > and this is easier to backport > > > > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer > > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification > > > > The other parts of CVE-2023-6602 have been fixed by prior commits > > > > Found-by: Harvey Phillips of Amazon Element55 (element55) > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > doc/demuxers.texi | 7 +++++++ > > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ > > 2 files changed, 57 insertions(+) > > I intend to apply this patchset soon so it receives some testing before 7.1.1
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
