From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 3780F4D05B
	for <ffmpegdev@gitmailbox.com>; Tue, 15 Apr 2025 23:33:08 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3FE1B687CB1;
	Wed, 16 Apr 2025 02:33:04 +0300 (EEST)
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 22429687CB1
 for <ffmpeg-devel@ffmpeg.org>; Wed, 16 Apr 2025 02:32:57 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 0058641E0D
 for <ffmpeg-devel@ffmpeg.org>; Tue, 15 Apr 2025 23:32:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1744759976;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=IPZcRuixcywHZpTbK0mPjU61326lpECnV+R9LNoSzyA=;
 b=HIUU0pUas2YRKbtZY0O75CPCw3EgYEAGhLNdXx0uj/YNgZa4frXLCKTYGKNGV5HN5+xwdQ
 3c1mBsqwjZk8+wfbu+QIkGa3WAl+15M54xBTZaHBiFsEyO2h66Ig5l5DyxnOY4Gw9kaCq8
 dBqSHur2fAA+DaV29m13+TaFXXa/NefereQIDc3hRbJcWIxpEtsR2yLhLjciPC0Xotvq31
 85AI86ujBfzc40HGagS3rdCPX6vS4daIXjPtgfqH12hSkzmSbab3t7y7gn5lBqvluSkbf3
 aPFDs1juIJjnWnnH06QCKR2YcvqGLAl+yOAabPm68UIkZCmociJbjQFRRFBz7g==
Date: Wed, 16 Apr 2025 01:32:54 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250415233254.GX4991@pb2>
References: <20250411074808.33274-1-xiaohuanshu@gmail.com>
MIME-Version: 1.0
In-Reply-To: <20250411074808.33274-1-xiaohuanshu@gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvvdegkedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeeigeektdejudffjefhteegjedtgeettefggedthfejgfevhfetgeekjedtvdfhveenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH] libavformat/dashdec: Fix buffer overflow
 in segment URL resolution
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============3695338038748453812=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250415233254.GX4991@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============3695338038748453812==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="f243T2l5jIkTS7c1"
Content-Disposition: inline


--f243T2l5jIkTS7c1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi

On Fri, Apr 11, 2025 at 03:48:08PM +0800, xiaohuanshu@gmail.com wrote:
> From: xiaohuanshu <xiaohuanshu@gmail.com>
>=20
> Problem:
> The max_url_size calculation for DASH segment URLs only considered the ba=
se URL
> length, leading to buffer overflow when the segment's sourceURL exceeded =
the
> pre-allocated buffer. This triggered the log error:
> "DASH request for url 'invalid:truncated'".
>=20
> Reproduce:
> 1. A test sample "long-sourceurl-sample.mpd" (deliberately designed with =
a long
>    sourceURL) was uploaded to VideoLAN's repository.
> 2. Reproduce with short base path:
>    ffmpeg -i /tmp/short_path/long-sourceurl-sample.mpd
>    -> Triggers "invalid:truncated" error
> 3. With artificially lengthened base path (e.g. /aaa/../bbb/../...):
>    ffmpeg -i /long/../path/../with/../many/../segments/long-sourceurl-sam=
ple.mpd
>    -> URL resolves correctly (though HTTP fetch fails due to fake URL)
>=20
> Fix:
> Recalculate max_url_size by considering both base URL and sourceURL lengt=
hs,
> ensuring sufficient buffer allocation during URL concatenation.
>=20
> Signed-off-by: xiaohuanshu <xiaohuanshu@gmail.com>
> ---
>  libavformat/dashdec.c | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>=20
> diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
> index c3f3d7f3f8..f604d363c4 100644
> --- a/libavformat/dashdec.c
> +++ b/libavformat/dashdec.c
> @@ -606,7 +606,7 @@ static int parse_manifest_segmenturlnode(AVFormatCont=
ext *s, struct representati
>      char *initialization_val =3D NULL;
>      char *media_val =3D NULL;
>      char *range_val =3D NULL;
> -    int max_url_size =3D c ? c->max_url_size: MAX_URL_SIZE;
> +    int max_url_size =3D 0;
>      int err;
> =20
>      if (!av_strcasecmp(fragmenturl_node->name, "Initialization")) {
> @@ -620,6 +620,12 @@ static int parse_manifest_segmenturlnode(AVFormatCon=
text *s, struct representati
>                  xmlFree(initialization_val);
>                  return AVERROR(ENOMEM);
>              }
> +            max_url_size =3D FFMAX(

> +                c ? c->max_url_size : 0,

how can c be NULL here ?


> +                initialization_val ? aligned(strlen(initialization_val) +
> +                                             (rep_id_val ? strlen(rep_id=
_val) : 0) +
> +                                             (rep_bandwidth_val ? strlen=
(rep_bandwidth_val) : 0)) : 0);
> +            max_url_size =3D max_url_size ? max_url_size : MAX_URL_SIZE;
>              rep->init_section->url =3D get_content_url(baseurl_nodes, 4,
>                                                       max_url_size,
>                                                       rep_id_val,
> @@ -641,6 +647,12 @@ static int parse_manifest_segmenturlnode(AVFormatCon=
text *s, struct representati
>                  xmlFree(media_val);
>                  return AVERROR(ENOMEM);
>              }
> +            max_url_size =3D FFMAX(
> +                c ? c->max_url_size : 0,

> +                initialization_val ? aligned(strlen(initialization_val) +

how can initialization_val be non NULL here ?

thx

[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I have often repented speaking, but never of holding my tongue.
-- Xenocrates

--f243T2l5jIkTS7c1
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZ/7sogAKCRBhHseHBAsP
qySaAJ0c5RG7Wf9+gvz1+/zasn7wsq/HBQCbBqIAGgeToHOq560gslejxWjeLtI=
=O94L
-----END PGP SIGNATURE-----

--f243T2l5jIkTS7c1--

--===============3695338038748453812==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============3695338038748453812==--