From patchwork Wed Mar 8 12:40:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wm4 X-Patchwork-Id: 2832 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.50.79 with SMTP id y76csp1008327vsy; Wed, 8 Mar 2017 04:40:34 -0800 (PST) X-Received: by 10.28.10.209 with SMTP id 200mr5624278wmk.126.1488976834323; Wed, 08 Mar 2017 04:40:34 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 92si4177891wra.335.2017.03.08.04.40.33; Wed, 08 Mar 2017 04:40:34 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3BD476882AB; Wed, 8 Mar 2017 14:40:11 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C32C568827D for ; Wed, 8 Mar 2017 14:40:04 +0200 (EET) Received: by mail-wm0-f65.google.com with SMTP id v190so5850375wme.3 for ; Wed, 08 Mar 2017 04:40:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=uYRYlhVJnmlx5QZXqthiIiBkg/Ou43b61PcmfiSljpE=; b=DmxvhGtNeViRuS1PY2Eqr15pcVV7sddhhHRE3K5mc0Sbqs7YC/eZupVuYasMzgAaGL 9EB5ym8zdlmQYIyITjQQe1OAHVDZv7NFnvps/nyz8VdMyqCsLLOV+DN4tHkDH/QBb0u3 03n2DFzoUJYK6Nh6e5gA+ep70gMMJjXsrsYhJbkjB9o8VhzroOIxgOoQh1Ke34onLXLD lCF7yHsJnokWnK7dOQGoqUF+KEtv2xlTqt2l1YosMF/L7LI/JbmOSHZSV6rcBCmuytKW brAfbNFsedl9f8dXgKj7c2gGOIniCQgpzJT0CRJnXLIYdAIMYfx4bNRQEUFv4UrYUEQa 1f3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=uYRYlhVJnmlx5QZXqthiIiBkg/Ou43b61PcmfiSljpE=; b=gno7RZHYxx6HuBjmwoA3/oaA48k1g5pOmLVd+GMGEHooz9DPoW8OAta84OM0zBLkQw 1WdO5SONlYK4ID8hYNcMh/I6sL3a805LrFyy1H18Oni1UcjCd/ueJk7fhHHo0lOIgT+c xVSWHBuPNTWyPWS2EsC2kDEslowPlPT4FzCX6broJmfNyrIFkicg9qCmweCTFmH3eAA+ s+MYnK/BTtZeE5lyPqXhDZnbtTgIMlGT58/SvkpEXBpdCdS0NS4dfVFceUgtHGfj12EU m257Ql3PmNpE4gGB8ExxTza7tqpx34LKCnsoap1ZEI1IjrFAHRrGc0g/sIAREADXN1wY uc0g== X-Gm-Message-State: AMke39nxeLiIesQbpfOa1rCRDhoAqPWmLcpvrYNW/tuD5w5YE3meIF5b1VZ6wdT9/wZFuQ== X-Received: by 10.28.227.213 with SMTP id a204mr5073433wmh.120.1488976818031; Wed, 08 Mar 2017 04:40:18 -0800 (PST) Received: from localhost.localdomain (p4FF02688.dip0.t-ipconnect.de. [79.240.38.136]) by smtp.googlemail.com with ESMTPSA id 198sm4581948wmn.11.2017.03.08.04.40.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Mar 2017 04:40:17 -0800 (PST) From: wm4 To: ffmpeg-devel@ffmpeg.org Date: Wed, 8 Mar 2017 13:40:11 +0100 Message-Id: <20170308124012.27793-2-nfxjfg@googlemail.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170308124012.27793-1-nfxjfg@googlemail.com> References: <20170308124012.27793-1-nfxjfg@googlemail.com> Subject: [FFmpeg-devel] [PATCH 2/3] avformat: reject FFmpeg-style merged side data in raw packets X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: wm4 MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" It looks like this could lead to security issues, as side data readers will for example rely on side data allocation sizes to be as large as needed for correct operation. If such files exist at all, they also should be brought out of circulation, so fully reject them. Under normal circumstances, nothing creates such files. To avoid problems for now, we let the concat and hls demuxers do this (they merely return previously-demuxed packets, whose side data might have been merged by libavformat itself after demuxing). The special-cases will be removed in the next commit. --- libavformat/utils.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 37d7024465..68f3c977d6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -840,6 +840,15 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) *pkt = tmp; } + if (strcmp(s->iformat->name, "concat") && strcmp(s->iformat->name, "hls,applehttp") + && av_packet_split_side_data(pkt) == 1) { + av_log(s, AV_LOG_ERROR, + "FFmpeg-style merged side data found in raw packet. " + "The packet is rejected for security reasons.\n"); + av_packet_unref(pkt); + return AVERROR_INVALIDDATA; + } + if ((s->flags & AVFMT_FLAG_DISCARD_CORRUPT) && (pkt->flags & AV_PKT_FLAG_CORRUPT)) { av_log(s, AV_LOG_WARNING,