From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
by master.gitmailbox.com (Postfix) with ESMTPS id D09944D13E
for <ffmpegdev@gitmailbox.com>; Wed, 16 Apr 2025 06:08:49 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 04068687D7C;
Wed, 16 Apr 2025 09:08:45 +0300 (EEST)
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com
[209.85.215.178])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 01C39687D24
for <ffmpeg-devel@ffmpeg.org>; Wed, 16 Apr 2025 09:08:37 +0300 (EEST)
Received: by mail-pg1-f178.google.com with SMTP id
41be03b00d2f7-af19b9f4c8cso4440401a12.2
for <ffmpeg-devel@ffmpeg.org>; Tue, 15 Apr 2025 23:08:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1744783715; x=1745388515; darn=ffmpeg.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=cVtS5L3RpEzSt5XI/QXlf7VMjtoWIuYUPwaja2nWRRA=;
b=gwak0uLQ+LB/IgOWX40ZndYYojA76hgE7QhQYw7jGEAugpdF3GusFhunVhjAYDG2sO
/VTXD2Vq3VmpDdUk3QC1wsOojth5VB0MPU/JJwhyAMYuhWW5TuLYv5USSJEIStyPSdG7
EqaHeRnpU+xD35aAudCjyPXVeT2TIy2dO9aYs284LwFnktGIwgZc1iQ2+0aEmvKTCRtb
QqcxJZ2zks5o4pfHK6htZBn/57g4Xv96J6SQtyiHhQvf4rPpqek7ZRuL24RK9TpKLL7I
Y6LtIuxsGLdAAytf2Yuj2/J3mOi8Bbue/ScMIOySNrtw/JVErzjlEc1t78r2u/8T/8zj
P2Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1744783715; x=1745388515;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=cVtS5L3RpEzSt5XI/QXlf7VMjtoWIuYUPwaja2nWRRA=;
b=cWyhXalfjP6lyt6rfklDFKdTcsSJOr9kl5dyDmfyBcV1rGOz1ercWO1pG/XgrHDvj+
3zx053MEYqvd7iXgPglgBwkbGdqET1AxyAiGvkZ7pAalUcba/wIhv+LtsA3flbWGE10e
HESu3SqS8sYQ89BwTghz+BdMUJqQQO9GCQHwTOYlqg+Qh30R3wneQgcfWbznRZ/WnSSN
cKR/+N1rcUfxLjZqTh1a92A952RSCsjqW21flqU6oAU50fGMkIvlL3IbAEWU9CEgl1Xd
YofhywXbAoNtM6aipZbO5dVwL3q7bR4IAlvKEqgEQp7kVFoWa8olplUgV0sAKMwE++Ym
cVwg==
X-Gm-Message-State: AOJu0YyzBLxcH9kD7/QrjdeHFAvEEX5JeKVhmcmsaV9eOqvyvGd/HDWT
03CkwnDdx9BePwRaXrIHEAVeFYLdxCiF9geEB0+zoOBMR3uFWawqPW4XU8+rTlY=
X-Gm-Gg: ASbGncvvMJCfVPy5fT02OaPDCvvkUAA6iY0WJw1fuOK3Y1jeojNUj78XqKQlIyC2oeP
tt94AB7SeBod+GgShIJ00DGn6Oee4bxcvOMxZ/hrJYfBk2IjiUfKP3xI/SxALwNmAt1ihyM4Oy1
Izx5KO52MifzAuAEW/Ike3sR2SPakx2XmIuvNOHg+YWj/iXQx0uCKcDSxcwJOpe4tHOlppjUBpI
3fwRAwrBoYt7MuxBjx74frFo1OubEJPdMX0kiN6Iusftjf2LlEKYvhD0ZGv+5eT3/JTunTokXDV
3JgDJlGVlPmJqBJJwTC1sCmL1SiveFd3kE4N5Kl5ELgTAvm+FFF+D4CacY/+MEPOA7ZT
X-Google-Smtp-Source: AGHT+IFR1Y9VSGO6SG0NhPFMjSfimxmtOyZK8+J4lggSpB+YxvBEkJsRXZQIu9XmgJsZRuBMeUI5gA==
X-Received: by 2002:a17:90b:58ce:b0:306:b78a:e22d with SMTP id
98e67ed59e1d1-30863f306aemr944745a91.20.1744783715079;
Tue, 15 Apr 2025 23:08:35 -0700 (PDT)
Received: from localhost.localdomain ([129.227.142.195])
by smtp.gmail.com with ESMTPSA id
98e67ed59e1d1-308613c7f07sm681424a91.40.2025.04.15.23.08.33
(version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
Tue, 15 Apr 2025 23:08:34 -0700 (PDT)
From: xiaohuanshu@gmail.com
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 16 Apr 2025 14:08:16 +0800
Message-Id: <20250416060816.5065-1-xiaohuanshu@gmail.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20250411074808.33274-1-xiaohuanshu@gmail.com>
References: <20250411074808.33274-1-xiaohuanshu@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2] libavformat/dashdec: Fix buffer overflow
in segment URL resolution
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: xiaohuanshu@gmail.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250416060816.5065-1-xiaohuanshu@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>
From: xiaohuanshu <xiaohuanshu@gmail.com>
Problem:
The max_url_size calculation for DASH segment URLs only considered the base URL
length, leading to buffer overflow when the segment's sourceURL exceeded the
pre-allocated buffer. This triggered the log error:
"DASH request for url 'invalid:truncated'".
Reproduce:
1. A test sample "long-sourceurl-sample.mpd" (deliberately designed with a long
sourceURL) was uploaded to VideoLAN's repository.
2. Reproduce with short base path:
ffmpeg -i /tmp/short_path/long-sourceurl-sample.mpd
-> Triggers "invalid:truncated" error
3. With artificially lengthened base path (e.g. /aaa/../bbb/../...):
ffmpeg -i /long/../path/../with/../many/../segments/long-sourceurl-sample.mpd
-> URL resolves correctly (though HTTP fetch fails due to fake URL)
Fix:
Recalculate max_url_size by considering both base URL and sourceURL lengths,
ensuring sufficient buffer allocation during URL concatenation.
V2:
1. no need to determine whether initialization_val is null.
2. fix the incorrect variable name.
Signed-off-by: xiaohuanshu <xiaohuanshu@gmail.com>
---
libavformat/dashdec.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index c3f3d7f3f8..a574c91932 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -606,7 +606,7 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
char *initialization_val = NULL;
char *media_val = NULL;
char *range_val = NULL;
- int max_url_size = c ? c->max_url_size: MAX_URL_SIZE;
+ int max_url_size = 0;
int err;
if (!av_strcasecmp(fragmenturl_node->name, "Initialization")) {
@@ -620,6 +620,12 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(initialization_val);
return AVERROR(ENOMEM);
}
+ max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ aligned(strlen(initialization_val) +
+ (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)));
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
rep->init_section->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
@@ -641,6 +647,11 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(media_val);
return AVERROR(ENOMEM);
}
+ max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ aligned(strlen(media_val) + (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)));
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
seg->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
@@ -2369,3 +2380,4 @@ const FFInputFormat ff_dash_demuxer = {
.read_close = dash_close,
.read_seek = dash_read_seek,
};
+
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".