virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-28 20:53:54 +02:00
Code Issues Releases Activity

avformat/mov: Fix opening relative references

Browse Source 
Possibly fixes Ticket4671

the removed check is wrong and insufficient

Based on patch by Maksym Veremeyenko <verem@m1.tv>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2015-07-15 01:01:30 +02:00
parent bfd17046c1
commit c9c7263e58
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/mov.c
View File

@ -2708,7 +2708,7 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
/* try relative path, we do not try the absolute because it can leak information about our
system to an attacker */
if (ref->nlvl_to > 0 && ref->nlvl_from > 0 && ref->path[0] != '/') {
if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
char filename[1025];
const char *src_path;
int i, l;
@ -2739,7 +2739,10 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
av_strlcat(filename, ref->path + l + 1, sizeof(filename));
if (!c->use_absolute_path && !c->fc->open_cb)
if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1)
if(strstr(ref->path + l + 1, "..") ||
strstr(ref->path + l + 1, ":") ||
ref->nlvl_from > 1 ||
(filename[0] == '/' && src_path == src))
return AVERROR(ENOENT);
if (strlen(filename) + 1 == sizeof(filename))