Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael Niedermayer <michael@niedermayer.cc> |
| 3 | Date: Sat, 26 Aug 2017 01:26:58 +0200 |
| 4 | Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop |
| 5 | |
| 6 | Fixes: loop.m3u |
| 7 | |
| 8 | The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome |
| 9 | |
| 10 | Found-by: Xiaohei and Wangchu from Alibaba Security Team |
| 11 | |
| 12 | Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com> |
| 13 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> |
| 14 | |
| 15 | CVE: CVE-2017-14058 |
| 16 | Upstream-Status: Backport |
| 17 | |
| 18 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> |
| 19 | --- |
| 20 | doc/demuxers.texi | 18 ++++++++++++++++++ |
| 21 | libavformat/hls.c | 7 +++++++ |
| 22 | 2 files changed, 25 insertions(+) |
| 23 | |
| 24 | diff --git a/doc/demuxers.texi b/doc/demuxers.texi |
| 25 | index 29a23d4..73dc0fe 100644 |
| 26 | --- a/doc/demuxers.texi |
| 27 | +++ b/doc/demuxers.texi |
| 28 | @@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file, |
| 29 | which in this case is @file{input.mp4} as the GIF in this example loops |
| 30 | infinitely. |
| 31 | |
| 32 | +@section hls |
| 33 | + |
| 34 | +HLS demuxer |
| 35 | + |
| 36 | +It accepts the following options: |
| 37 | + |
| 38 | +@table @option |
| 39 | +@item live_start_index |
| 40 | +segment index to start live streams at (negative values are from the end). |
| 41 | + |
| 42 | +@item allowed_extensions |
| 43 | +',' separated list of file extensions that hls is allowed to access. |
| 44 | + |
| 45 | +@item max_reload |
| 46 | +Maximum number of times a insufficient list is attempted to be reloaded. |
| 47 | +Default value is 1000. |
| 48 | +@end table |
| 49 | + |
| 50 | @section image2 |
| 51 | |
| 52 | Image file demuxer. |
| 53 | diff --git a/libavformat/hls.c b/libavformat/hls.c |
| 54 | index 01731bd..0995345 100644 |
| 55 | --- a/libavformat/hls.c |
| 56 | +++ b/libavformat/hls.c |
| 57 | @@ -205,6 +205,7 @@ typedef struct HLSContext { |
| 58 | AVDictionary *avio_opts; |
| 59 | int strict_std_compliance; |
| 60 | char *allowed_extensions; |
| 61 | + int max_reload; |
| 62 | } HLSContext; |
| 63 | |
| 64 | static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) |
| 65 | @@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) |
| 66 | HLSContext *c = v->parent->priv_data; |
| 67 | int ret, i; |
| 68 | int just_opened = 0; |
| 69 | + int reload_count = 0; |
| 70 | |
| 71 | restart: |
| 72 | if (!v->needed) |
| 73 | @@ -1294,6 +1296,9 @@ restart: |
| 74 | reload_interval = default_reload_interval(v); |
| 75 | |
| 76 | reload: |
| 77 | + reload_count++; |
| 78 | + if (reload_count > c->max_reload) |
| 79 | + return AVERROR_EOF; |
| 80 | if (!v->finished && |
| 81 | av_gettime_relative() - v->last_load_time >= reload_interval) { |
| 82 | if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { |
| 83 | @@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = { |
| 84 | OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, |
| 85 | {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, |
| 86 | INT_MIN, INT_MAX, FLAGS}, |
| 87 | + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", |
| 88 | + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, |
| 89 | {NULL} |
| 90 | }; |
| 91 | |
| 92 | -- |
| 93 | 2.1.0 |
| 94 | |