diff mbox

[FFmpeg-devel,6/6] avformat/hls: Fix DoS due to infinite loop

Message ID 20170824231532.16002-6-michael@niedermayer.cc
State Superseded
Headers show

Commit Message

Michael Niedermayer Aug. 24, 2017, 11:15 p.m. UTC 
Fixes: loop.m3u

The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hls.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Steven Liu Aug. 25, 2017, 12:23 a.m. UTC | #1 
2017-08-25 7:15 GMT+08:00 Michael Niedermayer <michael@niedermayer.cc>:
> Fixes: loop.m3u
>
> The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
Why not give a option to user for set the reload_count and limit from 1 - 10000?

>
> Found-by: Xiaohei and Wangchu from Alibaba Security Team
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/hls.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/hls.c b/libavformat/hls.c
> index 01731bd36b..26f4ebd965 100644
> --- a/libavformat/hls.c
> +++ b/libavformat/hls.c
> @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
>      HLSContext *c = v->parent->priv_data;
>      int ret, i;
>      int just_opened = 0;
> +    int reload_count = 0;
>
>  restart:
>      if (!v->needed)
> @@ -1294,6 +1295,9 @@ restart:
>          reload_interval = default_reload_interval(v);
>
>  reload:
> +        reload_count++;
> +        if (reload_count > 10000)
> +            return AVERROR_EOF;
>          if (!v->finished &&
>              av_gettime_relative() - v->last_load_time >= reload_interval) {
>              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
> --
> 2.14.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
wm4 Aug. 25, 2017, 8:08 a.m. UTC | #2 
On Fri, 25 Aug 2017 01:15:32 +0200
Michael Niedermayer <michael@niedermayer.cc> wrote:

> Fixes: loop.m3u
> 
> The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> 
> Found-by: Xiaohei and Wangchu from Alibaba Security Team
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/hls.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/hls.c b/libavformat/hls.c
> index 01731bd36b..26f4ebd965 100644
> --- a/libavformat/hls.c
> +++ b/libavformat/hls.c
> @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
>      HLSContext *c = v->parent->priv_data;
>      int ret, i;
>      int just_opened = 0;
> +    int reload_count = 0;
>  
>  restart:
>      if (!v->needed)
> @@ -1294,6 +1295,9 @@ restart:
>          reload_interval = default_reload_interval(v);
>  
>  reload:
> +        reload_count++;
> +        if (reload_count > 10000)
> +            return AVERROR_EOF;
>          if (!v->finished &&
>              av_gettime_relative() - v->last_load_time >= reload_interval) {
>              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {

Why 1000?

This patch is unnecessary. The interrupt callback can break out of this
loop anyway on user request. Or is this patch again intended for
transcode servers with hilariously insecure amateurish configuration,
like most of these patches seem to be?
Michael Niedermayer Aug. 25, 2017, 9:59 a.m. UTC | #3 
On Fri, Aug 25, 2017 at 10:08:23AM +0200, wm4 wrote:
> On Fri, 25 Aug 2017 01:15:32 +0200
> Michael Niedermayer <michael@niedermayer.cc> wrote:
> 
> > Fixes: loop.m3u
> > 
> > The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> > 
> > Found-by: Xiaohei and Wangchu from Alibaba Security Team
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/hls.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libavformat/hls.c b/libavformat/hls.c
> > index 01731bd36b..26f4ebd965 100644
> > --- a/libavformat/hls.c
> > +++ b/libavformat/hls.c
> > @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
> >      HLSContext *c = v->parent->priv_data;
> >      int ret, i;
> >      int just_opened = 0;
> > +    int reload_count = 0;
> >  
> >  restart:
> >      if (!v->needed)
> > @@ -1294,6 +1295,9 @@ restart:
> >          reload_interval = default_reload_interval(v);
> >  
> >  reload:
> > +        reload_count++;
> > +        if (reload_count > 10000)
> > +            return AVERROR_EOF;
> >          if (!v->finished &&
> >              av_gettime_relative() - v->last_load_time >= reload_interval) {
> >              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
> 
> Why 1000?

Please read the commit message at the top of the mail you reply to,
that is explained in it


> 
> This patch is unnecessary. The interrupt callback can break out of this
> loop anyway on user request. Or is this patch again intended for
> transcode servers with hilariously insecure amateurish configuration,
> like most of these patches seem to be?

Do you object to this issue being fixed ?
In which case i will of course respect your veto and leave the issue
open.
Otherwise i will here note that i disagree with your oppinion.

And will resubmit a patch with the changes requested by the maintainer

Thanks
Michael Niedermayer Aug. 25, 2017, 10:14 a.m. UTC | #4 
On Fri, Aug 25, 2017 at 08:23:32AM +0800, Steven Liu wrote:
> 2017-08-25 7:15 GMT+08:00 Michael Niedermayer <michael@niedermayer.cc>:
> > Fixes: loop.m3u
> >
> > The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> Why not give a option to user for set the reload_count and limit from 1 - 10000?

patch submitted

thx

[...]
wm4 Aug. 25, 2017, 11:03 a.m. UTC | #5 
On Fri, 25 Aug 2017 11:59:54 +0200
Michael Niedermayer <michael@niedermayer.cc> wrote:

> On Fri, Aug 25, 2017 at 10:08:23AM +0200, wm4 wrote:
> > On Fri, 25 Aug 2017 01:15:32 +0200
> > Michael Niedermayer <michael@niedermayer.cc> wrote:
> >   
> > > Fixes: loop.m3u
> > > 
> > > The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> > > 
> > > Found-by: Xiaohei and Wangchu from Alibaba Security Team
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavformat/hls.c | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > > 
> > > diff --git a/libavformat/hls.c b/libavformat/hls.c
> > > index 01731bd36b..26f4ebd965 100644
> > > --- a/libavformat/hls.c
> > > +++ b/libavformat/hls.c
> > > @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
> > >      HLSContext *c = v->parent->priv_data;
> > >      int ret, i;
> > >      int just_opened = 0;
> > > +    int reload_count = 0;
> > >  
> > >  restart:
> > >      if (!v->needed)
> > > @@ -1294,6 +1295,9 @@ restart:
> > >          reload_interval = default_reload_interval(v);
> > >  
> > >  reload:
> > > +        reload_count++;
> > > +        if (reload_count > 10000)
> > > +            return AVERROR_EOF;
> > >          if (!v->finished &&
> > >              av_gettime_relative() - v->last_load_time >= reload_interval) {
> > >              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {  
> > 
> > Why 1000?  
> 
> Please read the commit message at the top of the mail you reply to,
> that is explained in it
> 
> 
> > 
> > This patch is unnecessary. The interrupt callback can break out of this
> > loop anyway on user request. Or is this patch again intended for
> > transcode servers with hilariously insecure amateurish configuration,
> > like most of these patches seem to be?  
> 
> Do you object to this issue being fixed ?

I content that there is an issue. It was found by a fuzzer, and has no
security implications.

> In which case i will of course respect your veto and leave the issue
> open.
> Otherwise i will here note that i disagree with your oppinion.
> 
> And will resubmit a patch with the changes requested by the maintainer

A user option is even worse, because it creates API for a thing that
doesn't matter.
Michael Niedermayer Aug. 25, 2017, 4:13 p.m. UTC | #6 
On Fri, Aug 25, 2017 at 01:03:35PM +0200, wm4 wrote:
> On Fri, 25 Aug 2017 11:59:54 +0200
> Michael Niedermayer <michael@niedermayer.cc> wrote:
> 
> > On Fri, Aug 25, 2017 at 10:08:23AM +0200, wm4 wrote:
> > > On Fri, 25 Aug 2017 01:15:32 +0200
> > > Michael Niedermayer <michael@niedermayer.cc> wrote:
> > >   
> > > > Fixes: loop.m3u
> > > > 
> > > > The max iteration count of 10000 is arbitrary and ideas for a better solution are welcome
> > > > 
> > > > Found-by: Xiaohei and Wangchu from Alibaba Security Team
> > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > > ---
> > > >  libavformat/hls.c | 4 ++++
> > > >  1 file changed, 4 insertions(+)
> > > > 
> > > > diff --git a/libavformat/hls.c b/libavformat/hls.c
> > > > index 01731bd36b..26f4ebd965 100644
> > > > --- a/libavformat/hls.c
> > > > +++ b/libavformat/hls.c
> > > > @@ -1263,6 +1263,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
> > > >      HLSContext *c = v->parent->priv_data;
> > > >      int ret, i;
> > > >      int just_opened = 0;
> > > > +    int reload_count = 0;
> > > >  
> > > >  restart:
> > > >      if (!v->needed)
> > > > @@ -1294,6 +1295,9 @@ restart:
> > > >          reload_interval = default_reload_interval(v);
> > > >  
> > > >  reload:
> > > > +        reload_count++;
> > > > +        if (reload_count > 10000)
> > > > +            return AVERROR_EOF;
> > > >          if (!v->finished &&
> > > >              av_gettime_relative() - v->last_load_time >= reload_interval) {
> > > >              if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {  
> > > 
> > > Why 1000?  
> > 
> > Please read the commit message at the top of the mail you reply to,
> > that is explained in it
> > 
> > 
> > > 
> > > This patch is unnecessary. The interrupt callback can break out of this
> > > loop anyway on user request. Or is this patch again intended for
> > > transcode servers with hilariously insecure amateurish configuration,
> > > like most of these patches seem to be?  
> > 
> > Do you object to this issue being fixed ?
> 

> I content that there is an issue. It was found by a fuzzer, and has no
> security implications.

I belive you should CC the security researchers who found
the issue.
Also to repeat, my oppinion is that this is a security issue and
requires a fix.


> 
> > In which case i will of course respect your veto and leave the issue
> > open.
> > Otherwise i will here note that i disagree with your oppinion.
> > 
> > And will resubmit a patch with the changes requested by the maintainer
> 
> A user option is even worse, because it creates API for a thing that
> doesn't matter.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
diff mbox

Patch

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 01731bd36b..26f4ebd965 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -1263,6 +1263,7 @@  static int read_data(void *opaque, uint8_t *buf, int buf_size)
     HLSContext *c = v->parent->priv_data;
     int ret, i;
     int just_opened = 0;
+    int reload_count = 0;
 
 restart:
     if (!v->needed)
@@ -1294,6 +1295,9 @@  restart:
         reload_interval = default_reload_interval(v);
 
 reload:
+        reload_count++;
+        if (reload_count > 10000)
+            return AVERROR_EOF;
         if (!v->finished &&
             av_gettime_relative() - v->last_load_time >= reload_interval) {
             if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {