On 16/07/15 09:30, Luca Barbato wrote:
> On 16/07/15 03:15, Vittorio Giovara wrote:
>> Probably a good idea, but this needs further study, so for the time
>> being I think it ought to be reverted.
>>
>
> Given you add as many `../` as you want it doesn't even warrant much
> security, go for it.
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 66a0391..920af38 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2395,7 +2395,7 @@ static int mov_open_dref(AVIOContext **pb, char
*src, MOVDref *ref,
/* try relative path, we do not try the absolute because it can
leak information about our
system to an attacker */
if (ref->nlvl_to > 0 && ref->nlvl_from > 0 && ref->path[0] != '/') {
- char filename[1024];
+ char filename[1024] = { 0 };
char *src_path;
int i, l;
@@ -2414,14 +2414,21 @@ static int mov_open_dref(AVIOContext **pb, char
*src, MOVDref *ref,
else
i++;
}
-
+ l = src_path - src;
/* compose filename if next level down to target was found */
- if (i == ref->nlvl_to - 1 && src_path - src < sizeof(filename)) {
- memcpy(filename, src, src_path - src);
- filename[src_path - src] = 0;
+ if (i == ref->nlvl_to - 1 && l < sizeof(filename)) {
+ memcpy(filename, src, l);
+
+ if (l > 0 && ref->nlvl_from) {
+ filename[l - 1] = 0;
+
+ for (i = 1; i < ref->nlvl_from; i++) {
+ char *p = strrchr(filename, '/');
+ if (p)
+ p[0] = 0;
- for (i = 1; i < ref->nlvl_from; i++)
- av_strlcat(filename, "../", 1024);
+ av_strlcat(filename, '/', sizeof(filename));
+ }
This sanitizes the src path, and I guess the same could be done for the
ref path.
lu
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
