[FFmpeg-devel] [PATCH 6/6] avformat/hls: Fix DoS due to infinite loop

wm4 nfxjfg at googlemail.com
Fri Aug 25 14:03:35 EEST 2017 

On Fri, 25 Aug 2017 11:59:54 +0200
Michael Niedermayer <michael at niedermayer.cc> wrote:

> On Fri, Aug 25, 2017 at 10:08:23AM +0200, wm4 wrote:
> > On Fri, 25 Aug 2017 01:15:32 +0200
> > Michael Niedermayer <michael at niedermayer.cc> wrote:
> >   
> > > Fixes: loop.m3u
> > > 
> > > The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> > > 
> > > Found-by: Xiaohei and Wangchu from Alibaba Security Team
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > >  libavformat/hls.c | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > > 
> > > diff --git a/libavformat/hls.c b/libavformat/hls.c
> > > index 01731bd36b..26f4ebd965 100644
> > > --- a/libavformat/hls.c
> > > +++ b/libavformat/hls.c
> > > @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
> > >      HLSContext *c = v->parent->priv_data;
> > >      int ret, i;
> > >      int just_opened = 0;
> > > +    int reload_count = 0;
> > >  
> > >  restart:
> > >      if (!v->needed)
> > > @@ -1294,6 +1295,9 @@ restart:
> > >          reload_interval = default_reload_interval(v);
> > >  
> > >  reload:
> > > +        reload_count++;
> > > +        if (reload_count > 10000)
> > > +            return AVERROR_EOF;
> > >          if (!v->finished &&
> > >              av_gettime_relative() - v->last_load_time >= reload_interval) {
> > >              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {  
> > 
> > Why 1000?  
> 
> Please read the commit message at the top of the mail you reply to,
> that is explained in it
> 
> 
> > 
> > This patch is unnecessary. The interrupt callback can break out of this
> > loop anyway on user request. Or is this patch again intended for
> > transcode servers with hilariously insecure amateurish configuration,
> > like most of these patches seem to be?  
> 
> Do you object to this issue being fixed ?

I content that there is an issue. It was found by a fuzzer, and has no
security implications.

> In which case i will of course respect your veto and leave the issue
> open.
> Otherwise i will here note that i disagree with your oppinion.
> 
> And will resubmit a patch with the changes requested by the maintainer

A user option is even worse, because it creates API for a thing that
doesn't matter.

More information about the ffmpeg-devel mailing list