This prevents an exploit leading to an information leak
The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.
Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfo...@google.com>
Fix inspired by: Tobias Rapp <t.r...@noa-archive.com>
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/options_table.h | 2 +-
libavformat/utils.c | 6 +++++-
tests/fate/avformat.mak | 4 ++--
tests/fate/filter-audio.mak | 4 ++--
4 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/libavformat/options_table.h b/libavformat/options_table.h
index 0c1915d6d4..f33e126838 100644
--- a/libavformat/options_table.h
+++ b/libavformat/options_table.h
@@ -104,7 +104,7 @@ static const AVOption avformat_options[] = {
{"make_zero", "shift timestamps so they start at 0", 0,
AV_OPT_TYPE_CONST, {.i64 = AVFMT_AVOID_NEG_TS_MAKE_ZERO }, INT_MIN,
INT_MAX, E, "avoid_negative_ts"},
{"dump_separator", "set information dump field separator",
OFFSET(dump_separator), AV_OPT_TYPE_STRING, {.str = ", "}, CHAR_MIN, CHAR_MAX,
D|E},
{"codec_whitelist", "List of decoders that are allowed to be used",
OFFSET(codec_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN,
CHAR_MAX, D },
-{"format_whitelist", "List of demuxers that are allowed to be used",
OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN,
CHAR_MAX, D },
+{"format_whitelist", "List of demuxers that are allowed to be used",
OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = "-hls,ALL" }, CHAR_MIN,
CHAR_MAX, D },
{"protocol_whitelist", "List of protocols that are allowed to be used",
OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN,
CHAR_MAX, D },
{"protocol_blacklist", "List of protocols that are not allowed to be used",
OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN,
CHAR_MAX, D },
{"max_streams", "maximum number of streams", OFFSET(max_streams),
AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D },
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 7dd6084f27..23160a89cc 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -144,8 +144,9 @@ void av_format_inject_global_side_data(AVFormatContext *s)
int ff_copy_whiteblacklists(AVFormatContext *dst, const AVFormatContext *src)
{
+ char *old_format_whitelist = dst->format_whitelist; // This has a non NULL
default
+
av_assert0(!dst->codec_whitelist &&
- !dst->format_whitelist &&
!dst->protocol_whitelist &&
!dst->protocol_blacklist);
dst-> codec_whitelist = av_strdup(src->codec_whitelist);
@@ -157,8 +158,11 @@ int ff_copy_whiteblacklists(AVFormatContext *dst, const
AVFormatContext *src)
|| (src->protocol_whitelist && !dst->protocol_whitelist)
|| (src->protocol_blacklist && !dst->protocol_blacklist)) {
av_log(dst, AV_LOG_ERROR, "Failed to duplicate black/whitelist\n");
+ av_free(dst->format_whitelist);
+ dst->format_whitelist = old_format_whitelist;
return AVERROR(ENOMEM);
}
+ av_free(old_format_whitelist);
return 0;
}
diff --git a/tests/fate/avformat.mak b/tests/fate/avformat.mak
index 82a531c7a5..77021b793e 100644
--- a/tests/fate/avformat.mak
+++ b/tests/fate/avformat.mak
@@ -119,12 +119,12 @@ tests/data/adts-to-mkv-cated-%.mkv:
tests/data/adts-to-mkv-header.mkv tests/data
FATE_SEGMENT += fate-segment-mp4-to-ts
fate-segment-mp4-to-ts: tests/data/mp4-to-ts.m3u8
-fate-segment-mp4-to-ts: CMD = framecrc -flags +bitexact -i
$(TARGET_PATH)/tests/data/mp4-to-ts.m3u8 -c copy
+fate-segment-mp4-to-ts: CMD = framecrc -flags +bitexact -format_whitelist ALL
-i $(TARGET_PATH)/tests/data/mp4-to-ts.m3u8 -c copy
FATE_SEGMENT-$(call ALLYES, MOV_DEMUXER H264_MP4TOANNEXB_BSF MPEGTS_MUXER
MATROSKA_DEMUXER SEGMENT_MUXER HLS_DEMUXER) += fate-segment-mp4-to-ts
FATE_SEGMENT += fate-segment-adts-to-mkv
fate-segment-adts-to-mkv: tests/data/adts-to-mkv.m3u8
-fate-segment-adts-to-mkv: CMD = framecrc -flags +bitexact -i
$(TARGET_PATH)/tests/data/adts-to-mkv.m3u8 -c copy
+fate-segment-adts-to-mkv: CMD = framecrc -flags +bitexact -format_whitelist
ALL -i $(TARGET_PATH)/tests/data/adts-to-mkv.m3u8 -c copy
fate-segment-adts-to-mkv: REF =
$(SRC_PATH)/tests/ref/fate/segment-adts-to-mkv-header-all
FATE_SEGMENT-$(call ALLYES, AAC_DEMUXER AAC_ADTSTOASC_BSF MATROSKA_MUXER
MATROSKA_DEMUXER SEGMENT_MUXER HLS_DEMUXER) += fate-segment-adts-to-mkv
diff --git a/tests/fate/filter-audio.mak b/tests/fate/filter-audio.mak
index 5d15b31e0b..58f8a71dfe 100644
--- a/tests/fate/filter-audio.mak
+++ b/tests/fate/filter-audio.mak
@@ -150,7 +150,7 @@ tests/data/hls-list.m3u8: ffmpeg$(PROGSSUF)$(EXESUF) |
tests/data
FATE_AFILTER-$(call ALLYES, HLS_DEMUXER MPEGTS_MUXER MPEGTS_DEMUXER
AEVALSRC_FILTER LAVFI_INDEV MP2FIXED_ENCODER) += fate-filter-hls
fate-filter-hls: tests/data/hls-list.m3u8
-fate-filter-hls: CMD = framecrc -flags +bitexact -i
$(TARGET_PATH)/tests/data/hls-list.m3u8
+fate-filter-hls: CMD = framecrc -flags +bitexact -format_whitelist hls,mpegts
-i $(TARGET_PATH)/tests/data/hls-list.m3u8
tests/data/hls-list-append.m3u8: TAG = GEN
tests/data/hls-list-append.m3u8: ffmpeg$(PROGSSUF)$(EXESUF) | tests/data
@@ -164,7 +164,7 @@ tests/data/hls-list-append.m3u8: ffmpeg$(PROGSSUF)$(EXESUF)
| tests/data
FATE_AFILTER-$(call ALLYES, HLS_DEMUXER MPEGTS_MUXER MPEGTS_DEMUXER
AEVALSRC_FILTER LAVFI_INDEV MP2FIXED_ENCODER) += fate-filter-hls-append
fate-filter-hls-append: tests/data/hls-list-append.m3u8
-fate-filter-hls-append: CMD = framecrc -flags +bitexact -i
$(TARGET_PATH)/tests/data/hls-list-append.m3u8 -af asetpts=RTCTIME
+fate-filter-hls-append: CMD = framecrc -flags +bitexact -format_whitelist
hls,mpegts -i $(TARGET_PATH)/tests/data/hls-list-append.m3u8 -af asetpts=RTCTIME
FATE_AMIX += fate-filter-amix-simple
fate-filter-amix-simple: CMD = ffmpeg -filter_complex amix -i $(SRC) -ss 3 -i
$(SRC1) -f f32le -
--
2.13.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
