ffmpeg | branch: release/2.6 | Michael Niedermayer <mich...@niedermayer.cc> | 
Wed Jan 20 09:43:54 2016 +0100| [4de748119497f91c79c063466332d1564c4daa48] | 
committer: Michael Niedermayer

avformat/avio: Limit url option parsing to the documented cases

This feature is not know much or used much AFAIK, and it might be helpfull in
exploits.
No specific case is known where it can be used in an exploit though
subsequent commits depend on this commit though

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 984d58a3440d513f66344b5332f6b589c0a6bbc6)

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4de748119497f91c79c063466332d1564c4daa48
---

 libavformat/avio.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavformat/avio.c b/libavformat/avio.c
index 326bb0a..78d15cc 100644
--- a/libavformat/avio.c
+++ b/libavformat/avio.c
@@ -155,9 +155,16 @@ static int url_alloc_for_protocol(URLContext **puc, struct 
URLProtocol *up,
                 char sep= *++p;
                 char *key, *val;
                 p++;
+
+                if (strcmp(up->name, "subfile"))
+                    ret = AVERROR(EINVAL);
+
                 while(ret >= 0 && (key= strchr(p, sep)) && p<key && (val = 
strchr(key+1, sep))){
                     *val= *key= 0;
-                    ret= av_opt_set(uc->priv_data, p, key+1, 0);
+                    if (strcmp(p, "start") && strcmp(p, "end")) {
+                        ret = AVERROR_OPTION_NOT_FOUND;
+                    } else
+                        ret= av_opt_set(uc->priv_data, p, key+1, 0);
                     if (ret == AVERROR_OPTION_NOT_FOUND)
                         av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p);
                     *val= *key= sep;
@@ -222,7 +229,7 @@ static struct URLProtocol *url_find_protocol(const char 
*filename)
     size_t proto_len = strspn(filename, URL_SCHEME_CHARS);
 
     if (filename[proto_len] != ':' &&
-        (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) 
||
+        (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, 
':')) ||
         is_dos_path(filename))
         strcpy(proto_str, "file");
     else

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to