[FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Michael Niedermayer
michael at niedermayer.cc
Sat Jan 25 22:38:41 EET 2025
On Thu, Jan 23, 2025 at 10:27:47PM +0100, Michael Niedermayer wrote:
> On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote:
> > This blocks disallowed extensions from probing
> > It also requires all available segments to have matching extensions to the format
> > mpegts is treated independent of the extension
> >
> > It is recommended to set the whitelists correctly
> > instead of depending on extensions, but this should help a bit,
> > and this is easier to backport
> >
> > Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
> > Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
> >
> > The other parts of CVE-2023-6602 have been fixed by prior commits
> >
> > Found-by: Harvey Phillips of Amazon Element55 (element55)
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > doc/demuxers.texi | 7 +++++++
> > libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
> > 2 files changed, 57 insertions(+)
>
> I intend to apply this patchset soon so it receives some testing before 7.1.1
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250125/34760e3b/attachment.sig>
More information about the ffmpeg-devel
mailing list