On Wed, Jan 22, 2025 at 09:36:09PM +0100, Michael Niedermayer wrote:
> This blocks disallowed extensions from probing
> It also requires all available segments to have matching extensions to the format
> mpegts is treated independent of the extension
> 
> It is recommended to set the whitelists correctly
> instead of depending on extensions, but this should help a bit,
> and this is easier to backport
> 
> Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
> Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
> 
> The other parts of CVE-2023-6602 have been fixed by prior commits
> 
> Found-by: Harvey Phillips of Amazon Element55 (element55)
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  doc/demuxers.texi |  7 +++++++
>  libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 57 insertions(+)

I intend to apply this patchset soon so it receives some testing before 7.1.1


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato