[FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Michael Niedermayer
michael at niedermayer.cc
Thu Jan 23 23:27:47 EET 2025
On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote:
> This blocks disallowed extensions from probing
> It also requires all available segments to have matching extensions to the format
> mpegts is treated independent of the extension
>
> It is recommended to set the whitelists correctly
> instead of depending on extensions, but this should help a bit,
> and this is easier to backport
>
> Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
> Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
>
> The other parts of CVE-2023-6602 have been fixed by prior commits
>
> Found-by: Harvey Phillips of Amazon Element55 (element55)
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> doc/demuxers.texi | 7 +++++++
> libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 57 insertions(+)
I intend to apply this patchset soon so it receives some testing before 7.1.1
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250123/e06c17f9/attachment.sig>
More information about the ffmpeg-devel
mailing list