Package: vlc Version: 0.8.6.h-5 The following URL contains a quicktime file which /usr/bin/file identifies as "Apple QuickTime multiple URLs":
http://science.education.nih.gov/supplements/nih1/Cancer/videos/act2/CB5_MSTR.mov You can access this file via a web page here if you want to see it in a browser: http://science.education.nih.gov/supplements/nih1/Cancer/activities/activity2_videos.htm vlc 0.8.6.h-5 (on i386) gets itself into a nasty infinite regress if you try to load the first URL directly in vlc like this: vlc "$URL" What seems to happen is that the .mov file contains a set of references to other streams (in this case, the streams appear to be the same content, optimized for different bitrates). However, one of the embedded URLs appears to be a link to the same file: > 0 $ wget -q -O- > 'http://science.education.nih.gov/supplements/nih1/Cancer/videos/act2/CB5_MSTR.mov' > | strings | grep mov > CB5_MSTR.mov > CB5_144.mov > CB5_56K.mov > CB5_ISDN.mov > CB5_T1.mov > 0 $ It looks like vlc is recursively loading this file, and each load adds another 5 entries to the playlist. This goes on until you kill vlc. This strikes me as a potential risk for a remotely-triggered denial of service attack. I've also tried this with VLC 0.9.8a-1 (from experimental). This new version behaves a little bit better, because it at least starts playing the actual content files (starting at CB5_144.mov), and doesn't trigger the infinite regress quite as fast. It *is* still an infinite regress, though, and if the individual content files were only a fraction of a second in length, it seems like it could have the same misbehavior. What's more, it doesn't seem that vlc properly respects the intent of such a file either. I don't know the quicktime spec at all, but i'd assume that the intent of a quicktime wrapper file like this is to automatically send the user to the correct stream of data based on their (pre-configured?) bandwidth preference, not to show them each video stream in sequence. Is there a way that such intent is encoded in the aggregated .mov file? If you are unable to replicate this misbehavior of vlc, please let me know if you'd like any more specific debugging information. I'm happy to provide. Thanks for maintaining vlc in debian! --dkg
signature.asc
Description: OpenPGP digital signature