From patchwork Thu Jun 1 11:44:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 3780 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.10.2 with SMTP id 2csp726879vsk; Thu, 1 Jun 2017 04:45:01 -0700 (PDT) X-Received: by 10.28.218.3 with SMTP id r3mr8410157wmg.120.1496317501709; Thu, 01 Jun 2017 04:45:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1496317501; cv=none; d=google.com; s=arc-20160816; b=nEUu+N/EMM5OiIjLO6xKc3xoEQ1XpzQ1WWmX1OCx2tUtCohowSAVCWni7GLf46+0Gp l4pV2Q9gzjETUBw5ioWTa/keohfIAbP8CKK7OOOl+uMtI0OZiVIksGhw7L3f8qzO9EHM hWBu+SnCkpgm0gTJYEaL9I5A8J4gqhe0MNWKEjLFTnIrc7HRoERTm8WJrD3sLco/6/xx /uFo823z04FGnIC4js4l1vUP5OnvrKXN3JdhT2T4onAPAlE287gMPql+JYOw+0vNDHrr mjm7Ig8S/hMDOgaGUsndbn2nlh9GiE7N5k1mReDO77w8Ldyu6WH+jZ2BzcM2BBu3/D4J 8qHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=Lskk5qp6Mp6dbUL6Ir4CYBeqMTWTKFFc7h1o8627e54=; b=rirEon93PdPp9ELIW4MYDDxoqK4I/+wQvUn2vHEchp/T1wUz5zj1kuChASSKXBQA+Z oHjGJfdgf3j117Wgh7lI832gKAuLat4YMsHt/e5kHHQ2ZbCO8ODbaNuGtq5AVrOCQsg9 +5PNVvDYpgPHZSJzasypOG7+mVGCRIa95TPurNEIZVJ+wirM156LcVtwar6uDrZh44LH pd0v/L3hVj8eU+A8ZZZ++SUHWRWDIOrGhtrDyN8r3WQjcsb1y2nd2kGdOcfaa/eGmZE6 x+9ne11vwWGf76OPpYjjdxhltgf4nh0N+3DYEJ+06E1tG3FpAKfXIDpeX+ZJmfs7E/Ms R0Og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o41si20712069wrc.158.2017.06.01.04.45.00; Thu, 01 Jun 2017 04:45:01 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 285076899D8; Thu, 1 Jun 2017 14:44:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C91C5680974 for ; Thu, 1 Jun 2017 14:44:46 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1dGOX5-0007bX-LB for ffmpeg-devel@ffmpeg.org; Thu, 01 Jun 2017 13:44:51 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id TPkp1v01Q0S5wYM01PkqXC; Thu, 01 Jun 2017 13:44:50 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 1 Jun 2017 13:44:46 +0200 Message-Id: <20170601114446.11358-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20170601114446.11358-1-michael@niedermayer.cc> References: <20170601114446.11358-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This prevents an exploit leading to an information leak The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Fix inspired by: Tobias Rapp Signed-off-by: Michael Niedermayer --- libavformat/options_table.h | 2 +- libavformat/utils.c | 6 +++++- tests/fate/avformat.mak | 4 ++-- tests/fate/filter-audio.mak | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 0c1915d6d4..f33e126838 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -104,7 +104,7 @@ static const AVOption avformat_options[] = { {"make_zero", "shift timestamps so they start at 0", 0, AV_OPT_TYPE_CONST, {.i64 = AVFMT_AVOID_NEG_TS_MAKE_ZERO }, INT_MIN, INT_MAX, E, "avoid_negative_ts"}, {"dump_separator", "set information dump field separator", OFFSET(dump_separator), AV_OPT_TYPE_STRING, {.str = ", "}, CHAR_MIN, CHAR_MAX, D|E}, {"codec_whitelist", "List of decoders that are allowed to be used", OFFSET(codec_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, -{"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, +{"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = "-hls,ALL" }, CHAR_MIN, CHAR_MAX, D }, {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D }, {"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D }, diff --git a/libavformat/utils.c b/libavformat/utils.c index 7dd6084f27..23160a89cc 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -144,8 +144,9 @@ void av_format_inject_global_side_data(AVFormatContext *s) int ff_copy_whiteblacklists(AVFormatContext *dst, const AVFormatContext *src) { + char *old_format_whitelist = dst->format_whitelist; // This has a non NULL default + av_assert0(!dst->codec_whitelist && - !dst->format_whitelist && !dst->protocol_whitelist && !dst->protocol_blacklist); dst-> codec_whitelist = av_strdup(src->codec_whitelist); @@ -157,8 +158,11 @@ int ff_copy_whiteblacklists(AVFormatContext *dst, const AVFormatContext *src) || (src->protocol_whitelist && !dst->protocol_whitelist) || (src->protocol_blacklist && !dst->protocol_blacklist)) { av_log(dst, AV_LOG_ERROR, "Failed to duplicate black/whitelist\n"); + av_free(dst->format_whitelist); + dst->format_whitelist = old_format_whitelist; return AVERROR(ENOMEM); } + av_free(old_format_whitelist); return 0; } diff --git a/tests/fate/avformat.mak b/tests/fate/avformat.mak index 82a531c7a5..77021b793e 100644 --- a/tests/fate/avformat.mak +++ b/tests/fate/avformat.mak @@ -119,12 +119,12 @@ tests/data/adts-to-mkv-cated-%.mkv: tests/data/adts-to-mkv-header.mkv tests/data FATE_SEGMENT += fate-segment-mp4-to-ts fate-segment-mp4-to-ts: tests/data/mp4-to-ts.m3u8 -fate-segment-mp4-to-ts: CMD = framecrc -flags +bitexact -i $(TARGET_PATH)/tests/data/mp4-to-ts.m3u8 -c copy +fate-segment-mp4-to-ts: CMD = framecrc -flags +bitexact -format_whitelist ALL -i $(TARGET_PATH)/tests/data/mp4-to-ts.m3u8 -c copy FATE_SEGMENT-$(call ALLYES, MOV_DEMUXER H264_MP4TOANNEXB_BSF MPEGTS_MUXER MATROSKA_DEMUXER SEGMENT_MUXER HLS_DEMUXER) += fate-segment-mp4-to-ts FATE_SEGMENT += fate-segment-adts-to-mkv fate-segment-adts-to-mkv: tests/data/adts-to-mkv.m3u8 -fate-segment-adts-to-mkv: CMD = framecrc -flags +bitexact -i $(TARGET_PATH)/tests/data/adts-to-mkv.m3u8 -c copy +fate-segment-adts-to-mkv: CMD = framecrc -flags +bitexact -format_whitelist ALL -i $(TARGET_PATH)/tests/data/adts-to-mkv.m3u8 -c copy fate-segment-adts-to-mkv: REF = $(SRC_PATH)/tests/ref/fate/segment-adts-to-mkv-header-all FATE_SEGMENT-$(call ALLYES, AAC_DEMUXER AAC_ADTSTOASC_BSF MATROSKA_MUXER MATROSKA_DEMUXER SEGMENT_MUXER HLS_DEMUXER) += fate-segment-adts-to-mkv diff --git a/tests/fate/filter-audio.mak b/tests/fate/filter-audio.mak index 5d15b31e0b..58f8a71dfe 100644 --- a/tests/fate/filter-audio.mak +++ b/tests/fate/filter-audio.mak @@ -150,7 +150,7 @@ tests/data/hls-list.m3u8: ffmpeg$(PROGSSUF)$(EXESUF) | tests/data FATE_AFILTER-$(call ALLYES, HLS_DEMUXER MPEGTS_MUXER MPEGTS_DEMUXER AEVALSRC_FILTER LAVFI_INDEV MP2FIXED_ENCODER) += fate-filter-hls fate-filter-hls: tests/data/hls-list.m3u8 -fate-filter-hls: CMD = framecrc -flags +bitexact -i $(TARGET_PATH)/tests/data/hls-list.m3u8 +fate-filter-hls: CMD = framecrc -flags +bitexact -format_whitelist hls,mpegts -i $(TARGET_PATH)/tests/data/hls-list.m3u8 tests/data/hls-list-append.m3u8: TAG = GEN tests/data/hls-list-append.m3u8: ffmpeg$(PROGSSUF)$(EXESUF) | tests/data @@ -164,7 +164,7 @@ tests/data/hls-list-append.m3u8: ffmpeg$(PROGSSUF)$(EXESUF) | tests/data FATE_AFILTER-$(call ALLYES, HLS_DEMUXER MPEGTS_MUXER MPEGTS_DEMUXER AEVALSRC_FILTER LAVFI_INDEV MP2FIXED_ENCODER) += fate-filter-hls-append fate-filter-hls-append: tests/data/hls-list-append.m3u8 -fate-filter-hls-append: CMD = framecrc -flags +bitexact -i $(TARGET_PATH)/tests/data/hls-list-append.m3u8 -af asetpts=RTCTIME +fate-filter-hls-append: CMD = framecrc -flags +bitexact -format_whitelist hls,mpegts -i $(TARGET_PATH)/tests/data/hls-list-append.m3u8 -af asetpts=RTCTIME FATE_AMIX += fate-filter-amix-simple fate-filter-amix-simple: CMD = ffmpeg -filter_complex amix -i $(SRC) -ss 3 -i $(SRC1) -f f32le -