[FFmpeg-devel] [PATCH 6/6] avformat/hls: Fix DoS due to infinite loop

wm4 nfxjfg at googlemail.com
Fri Aug 25 11:08:23 EEST 2017


On Fri, 25 Aug 2017 01:15:32 +0200
Michael Niedermayer <michael at niedermayer.cc> wrote:

> Fixes: loop.m3u
> 
> The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> 
> Found-by: Xiaohei and Wangchu from Alibaba Security Team
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/hls.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/hls.c b/libavformat/hls.c
> index 01731bd36b..26f4ebd965 100644
> --- a/libavformat/hls.c
> +++ b/libavformat/hls.c
> @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
>      HLSContext *c = v->parent->priv_data;
>      int ret, i;
>      int just_opened = 0;
> +    int reload_count = 0;
>  
>  restart:
>      if (!v->needed)
> @@ -1294,6 +1295,9 @@ restart:
>          reload_interval = default_reload_interval(v);
>  
>  reload:
> +        reload_count++;
> +        if (reload_count > 10000)
> +            return AVERROR_EOF;
>          if (!v->finished &&
>              av_gettime_relative() - v->last_load_time >= reload_interval) {
>              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {

Why 1000?

This patch is unnecessary. The interrupt callback can break out of this
loop anyway on user request. Or is this patch again intended for
transcode servers with hilariously insecure amateurish configuration,
like most of these patches seem to be?


More information about the ffmpeg-devel mailing list