From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
by master.gitmailbox.com (Postfix) with ESMTPS id E3F394C93D
for <ffmpegdev@gitmailbox.com>; Fri, 11 Apr 2025 07:48:28 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B493768BFB8;
Fri, 11 Apr 2025 10:48:23 +0300 (EEST)
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com
[209.85.216.43])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1B37C68B63D
for <ffmpeg-devel@ffmpeg.org>; Fri, 11 Apr 2025 10:48:17 +0300 (EEST)
Received: by mail-pj1-f43.google.com with SMTP id
98e67ed59e1d1-301c4850194so1363140a91.2
for <ffmpeg-devel@ffmpeg.org>; Fri, 11 Apr 2025 00:48:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1744357694; x=1744962494; darn=ffmpeg.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=3/3j/zFpf3QEt3o5UNsHjZervGlxQPfVm8fUBDJve5s=;
b=l2tc+xQHjwrasmPhOUhe/YS24WdRxZBdx/INmTo4LmdEFmSWSPpS00s1PECv9REK5G
Coatd54C5UcrFzfRS8I9uGzAfL0Pp2bvEgruoRVqPdpTT00LLK7AqOw0nsZMyKFtFocD
fdhsl1Huk3awfyKT6Tb34SeOWUBpB1ky0kZ8NasSWG0fUgy01RhfqyfwGdv+sVZsqOIo
XAY/LHf1lG8JLPx1+vvfF1K6dykRRLLV7MxMpCZ31A1hMCI/yQzFvKf+kRVaBo3z4vMR
Ut3X/BLpDB30Qit4e4KVfE3xvJSE0k2T/8poDg9fwuXXG4oRiCTDKNRIqWu1wUbQ5Y8v
6WrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1744357694; x=1744962494;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=3/3j/zFpf3QEt3o5UNsHjZervGlxQPfVm8fUBDJve5s=;
b=cHKIV+SU8Kei+TBqFTE8WXlvnyeWTlStxiof5kH5PjeuyAxR6fXvKsxAnfC4l1z7Lz
+8crjYH4q5nvTPGA6FLhxYeUqZrhgO0poc5COuf9NY0nKWoKt5KfTlvq6gG5Ud8IC2CJ
PQMCmAHVCpyicXoGf2CqfA84BGFdxchNijkosDLNzICkFLK4PKQM2oKgectxcVCBH5xY
MrR1av2FzfKI4iZLUqG4fO9L1u1nBFHNsa5uap5l64OFU7HuTtYrnXnz4txolp4ymsop
Nn2nvtPKfHxsKhxyDEKZIyiyXL9IzlT+LNA8dUcN9qdFnFjzBxFexX9fYiFsugtFSf4f
aZXg==
X-Gm-Message-State: AOJu0YxxGEHOtXZTeeNV6kJHERY0maA1+5jRjxERem6blcmxnL6mCTM7
z5XwiK4HxlJ2+Qk6HkazIgYgxLKApy8hTBqhgIp1wPkqjP4X9iaprwkUIzpA
X-Gm-Gg: ASbGncuuk7XrN9mb2Nlo/zvAUphjEhr/ZgYq1FWnH4tlVQeqh9IOhnvrZDnHI88+zQo
b6qXAOwkmc4Bz2/KEixr6Cg5FgUMGLD0dMEpSiOD3EAsXDq7xH/adh5pE23qLC2p2g9tb9ffIET
3pJRGgV3p3qHjTD38UwTPX61TwJOwS9o/Xo/5kPBN54LylOrJT+Wig3gEbBfLRvSb4X4vpSkPtK
mGqrIHhpArZwCBXcdhZYAjOslMsw963N0CiJake0MqM+klJ7MTeTmFxeiSXceUppDPPeWsyjLc4
2sHOUnEME2Au19oW65OJrcmdHf76bHf2+y5sdj9Zn3DQs3oFUFNrNWjd4EYGhv0L7ras
X-Google-Smtp-Source: AGHT+IGuShNGvX3ncxkpQpYB48GHXf0d0MhvOPGJ75gc5s+2Izgy+8mMD1DAkY7VQFXbtD0NhmX04w==
X-Received: by 2002:a17:90b:5188:b0:301:98fc:9b51 with SMTP id
98e67ed59e1d1-3082365a310mr2544391a91.5.1744357693872;
Fri, 11 Apr 2025 00:48:13 -0700 (PDT)
Received: from localhost.localdomain ([129.227.142.195])
by smtp.gmail.com with ESMTPSA id
98e67ed59e1d1-306df08f71dsm4855849a91.23.2025.04.11.00.48.12
(version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
Fri, 11 Apr 2025 00:48:13 -0700 (PDT)
From: xiaohuanshu@gmail.com
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 11 Apr 2025 15:48:08 +0800
Message-Id: <20250411074808.33274-1-xiaohuanshu@gmail.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] libavformat/dashdec: Fix buffer overflow in
segment URL resolution
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: xiaohuanshu@gmail.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250411074808.33274-1-xiaohuanshu@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>
From: xiaohuanshu <xiaohuanshu@gmail.com>
Problem:
The max_url_size calculation for DASH segment URLs only considered the base URL
length, leading to buffer overflow when the segment's sourceURL exceeded the
pre-allocated buffer. This triggered the log error:
"DASH request for url 'invalid:truncated'".
Reproduce:
1. A test sample "long-sourceurl-sample.mpd" (deliberately designed with a long
sourceURL) was uploaded to VideoLAN's repository.
2. Reproduce with short base path:
ffmpeg -i /tmp/short_path/long-sourceurl-sample.mpd
-> Triggers "invalid:truncated" error
3. With artificially lengthened base path (e.g. /aaa/../bbb/../...):
ffmpeg -i /long/../path/../with/../many/../segments/long-sourceurl-sample.mpd
-> URL resolves correctly (though HTTP fetch fails due to fake URL)
Fix:
Recalculate max_url_size by considering both base URL and sourceURL lengths,
ensuring sufficient buffer allocation during URL concatenation.
Signed-off-by: xiaohuanshu <xiaohuanshu@gmail.com>
---
libavformat/dashdec.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index c3f3d7f3f8..f604d363c4 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -606,7 +606,7 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
char *initialization_val = NULL;
char *media_val = NULL;
char *range_val = NULL;
- int max_url_size = c ? c->max_url_size: MAX_URL_SIZE;
+ int max_url_size = 0;
int err;
if (!av_strcasecmp(fragmenturl_node->name, "Initialization")) {
@@ -620,6 +620,12 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(initialization_val);
return AVERROR(ENOMEM);
}
+ max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ initialization_val ? aligned(strlen(initialization_val) +
+ (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)) : 0);
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
rep->init_section->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
@@ -641,6 +647,12 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(media_val);
return AVERROR(ENOMEM);
}
+ max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ initialization_val ? aligned(strlen(initialization_val) +
+ (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)) : 0);
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
seg->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".