[FFmpeg-cvslog] avformat/mov: Fix opening relative references

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Jul 15 01:01:30 2015 +0200| [c9c7263e5820c957598643216c42be9b1c4f2d2b] | committer: Michael Niedermayer

avformat/mov: Fix opening relative references

Possibly fixes Ticket4671

the removed check is wrong and insufficient

Based on patch by Maksym Veremeyenko <verem at m1.tv>

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9c7263e5820c957598643216c42be9b1c4f2d2b
---

 libavformat/mov.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d24faa7..94fc25d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2708,7 +2708,7 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
 
     /* try relative path, we do not try the absolute because it can leak information about our
        system to an attacker */
-    if (ref->nlvl_to > 0 && ref->nlvl_from > 0 && ref->path[0] != '/') {
+    if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
         char filename[1025];
         const char *src_path;
         int i, l;
@@ -2739,7 +2739,10 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
 
             av_strlcat(filename, ref->path + l + 1, sizeof(filename));
             if (!c->use_absolute_path && !c->fc->open_cb)
-                if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1)
+                if(strstr(ref->path + l + 1, "..") ||
+                   strstr(ref->path + l + 1, ":") ||
+                   ref->nlvl_from > 1 ||
+                   (filename[0] == '/' && src_path == src))
                     return AVERROR(ENOENT);
 
             if (strlen(filename) + 1 == sizeof(filename))