From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
by master.gitmailbox.com (Postfix) with ESMTPS id 2ED934D17B
for <ffmpegdev@gitmailbox.com>; Wed, 16 Apr 2025 06:56:33 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 93D19687D79;
Wed, 16 Apr 2025 09:56:27 +0300 (EEST)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
[209.85.210.177])
by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 42351687D7B
for <ffmpeg-devel@ffmpeg.org>; Wed, 16 Apr 2025 09:56:21 +0300 (EEST)
Received: by mail-pf1-f177.google.com with SMTP id
d2e1a72fcca58-73712952e1cso6150601b3a.1
for <ffmpeg-devel@ffmpeg.org>; Tue, 15 Apr 2025 23:56:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1744786578; x=1745391378; darn=ffmpeg.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=X9zHC2nuT5rvrKs7SMmvaEFF2pbb1hwmGoyLWrFjy1I=;
b=SbpEDF8qAptIE1iAcVod1s2N6R2EPgAxC195LvoKLCOHcNgAFqu9rADriST/IXO3Nq
dLuDCJsqf2qGKN/Cdw7ZGyROND2ID27jzzAtULVZVCEiNn15bynyurl88f0EeJMrWmY3
i9nTKPgYe0Ld3165EJQbqryp7Um+gm8FpeQrOxC9rwbEIfYvW2Uj+hZV5gFOkW5UEHie
AeZ306EDdx5z7dTjPRejt1OHcD04dSqxtPuAhGyuFFYYs/NdN7jaHwy26bTmsNEAtKma
pRm8WlbFFEDQRWPF0DgbzAb8bC8pKaPwI+Aj7YouJ1erR47zafKYYy99GJPSnInsu1UG
Dhiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1744786578; x=1745391378;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=X9zHC2nuT5rvrKs7SMmvaEFF2pbb1hwmGoyLWrFjy1I=;
b=bgF0HlgwYxYSCNUMcii2nlbp7CKH4suVE3VOnkC9SPXqrfeqSCLSfoETZDyR3HY7wS
VYjb9A0QbTm0z2MNBd7PK2uUFwPgGVqOWv33wzKOWNjkLZCmHvG7IIgvfpdVgOoysl/w
2Qm0lwuVf/u0QwHZuRAsOK1e5GUQCnkbAQjv/WC2w9uKmg4JbcdzU8KgCuUbEy0gf9y3
ZXA1bQU2t6KNE+K74uDEtAnMd3OFrbR3x2fbUUzzjm2nFe71Q7C/HCpO6SMcSIYASVFe
2QaoFUarEXBhJoMXA9XQn91ihUBvGUhtisuMU4O2OBiMpAe/+jmUIFLamZaA2YHpVEVn
WVPw==
X-Gm-Message-State: AOJu0YxfG/Hhd2+GTMTYLkvQ/qim/pJyoombm/57mz/oerh/eLVaizN8
tyK6N04o3N3BbK+dHDU6rQaDQbsDm/XWTgMdGbDf30J8WmtlKvVPp23kJFrDuD5YlA==
X-Gm-Gg: ASbGncsogQcpfTivrty5bOiOjG4IxxyjClU7utevNp5dXhz6FQTXkvMzFIjG5XYi/tV
LDqQd5kq03k305DUwxzT6e7n2+bfdXgiwhJMXq7z96nSSSh3ApBnYWTmAMMikmYtNleGQQ62SSh
zG09Od8UenwqEjvqlEVuv6mIcaecWdVffAXlb0wbeyay+2iU2eezX7n05uzlqBBb9+mqteyMc1R
GqBeUmFWsPnKUifwHQjUcy91kuxahqv4HbrE0+RUQK+qz2Lw/TqLL5zXhBKy16WQFOzbnRXtW3+
bBzU74jio5NSADWuYQAEU0G/+vVy8G2z5IgKwlE7s+b54R0hlQ6B9Qla4PFNjniW3hWH
X-Google-Smtp-Source: AGHT+IEUT/q4avRmEM/r+mJxzBt5NU7MQeD/w9airM6RT4vlPSz/c6qnMpz+o3CxUt8Tr/uaPdUNjQ==
X-Received: by 2002:a05:6a00:44c7:b0:736:ab1e:7775 with SMTP id
d2e1a72fcca58-73c264c3288mr1199413b3a.0.1744786578389;
Tue, 15 Apr 2025 23:56:18 -0700 (PDT)
Received: from localhost.localdomain ([129.227.142.195])
by smtp.gmail.com with ESMTPSA id
d2e1a72fcca58-73bd22f830esm9953106b3a.95.2025.04.15.23.56.16
(version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
Tue, 15 Apr 2025 23:56:17 -0700 (PDT)
From: xiaohuanshu@gmail.com
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 16 Apr 2025 14:56:12 +0800
Message-Id: <20250416065612.95947-1-xiaohuanshu@gmail.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20250411074808.33274-1-xiaohuanshu@gmail.com>
References: <20250411074808.33274-1-xiaohuanshu@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v3] libavformat/dashdec: Fix buffer overflow
in segment URL resolution
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: xiaohuanshu@gmail.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250416065612.95947-1-xiaohuanshu@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>
From: xiaohuanshu <xiaohuanshu@gmail.com>
Problem:
The max_url_size calculation for DASH segment URLs only considered the base URL
length, leading to buffer overflow when the segment's sourceURL exceeded the
pre-allocated buffer. This triggered the log error:
"DASH request for url 'invalid:truncated'".
Reproduce:
1. A test sample "long-sourceurl-sample.mpd" (deliberately designed with a long
sourceURL) was uploaded to VideoLAN's repository.
2. Reproduce with short base path:
ffmpeg -i /tmp/short_path/long-sourceurl-sample.mpd
-> Triggers "invalid:truncated" error
3. With artificially lengthened base path (e.g. /aaa/../bbb/../...):
ffmpeg -i /long/../path/../with/../many/../segments/long-sourceurl-sample.mpd
-> URL resolves correctly (though HTTP fetch fails due to fake URL)
Fix:
Recalculate max_url_size by considering both base URL and sourceURL lengths,
ensuring sufficient buffer allocation during URL concatenation.
V2:
1. no need to determine whether initialization_val is null.
2. fix the incorrect variable name.
V3:
1. change `max_url_size` scope into `Initialization` and `Media` blocks.
Signed-off-by: xiaohuanshu <xiaohuanshu@gmail.com>
---
libavformat/dashdec.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index c3f3d7f3f8..31a84bd184 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -606,7 +606,6 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
char *initialization_val = NULL;
char *media_val = NULL;
char *range_val = NULL;
- int max_url_size = c ? c->max_url_size: MAX_URL_SIZE;
int err;
if (!av_strcasecmp(fragmenturl_node->name, "Initialization")) {
@@ -620,6 +619,12 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(initialization_val);
return AVERROR(ENOMEM);
}
+ int max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ aligned(strlen(initialization_val) +
+ (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)));
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
rep->init_section->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
@@ -641,6 +646,11 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati
xmlFree(media_val);
return AVERROR(ENOMEM);
}
+ int max_url_size = FFMAX(
+ c ? c->max_url_size : 0,
+ aligned(strlen(media_val) + (rep_id_val ? strlen(rep_id_val) : 0) +
+ (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)));
+ max_url_size = max_url_size ? max_url_size : MAX_URL_SIZE;
seg->url = get_content_url(baseurl_nodes, 4,
max_url_size,
rep_id_val,
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".