1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00
Commit Graph

175 Commits

Author SHA1 Message Date
Steven Liu
2906363d1b avformat/hls: release mem resource to fix memleak
fix CID: 1426991

Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
Signed-off-by: Aman Gupta <aman@tmm1.net>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2017-12-31 10:43:54 -08:00
Aman Gupta
97b89432e4 avformat/hls: ignore http_persistent for segments requring crypto
Encrypted HLS segments have regular http:// urls, but open_input()
actually prefixes them with crypto+ before calling open_url(), so
they end up using the crypto protocol and not the http protocol.

This means invoking ff_http_do_new_request will fail, so we avoid
calling it in the first place. After the earlier http.c commit,
the failure results in a warning printed to the user. In earlier
versions, the failure would cause a segfault.

Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-30 21:07:55 -08:00
Aman Gupta
1dd82edea5 avformat/hls: enable http_multiple only for http/1.1 servers
Some http/1.0 implementations, like python's SimpleHTTPServer, can only support one client connection at a time. Making a second request while the first is still connected leads to a deadlock.

This change enables multiple connections for http/1.1 servers only, which need to support keepalive by default and should have no problem with concurrent requests.

Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-26 14:53:19 -08:00
Aman Gupta
ac19e63b18 avformat/hls: respect http_persistent only for http playlist urls
Fixes a segfault when reading a live playlist (without end tag) from non-http url (like a file on disk).

Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-26 14:48:14 -08:00
Aman Gupta
a232a72d77 avformat/hls: return AVERROR_PROTOCOL_NOT_FOUND when http protocol is not available
Fixes compile error when building with network or protocols disabled.

This code would never be reached (because the demuxer fails much earlier on http playlists or segments), so it doesn't matter much what we do here as long as it compiles.

Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-26 14:48:13 -08:00
Aman Gupta
2f9ca64556 avformat/hls: remove repeated http proto_name checks in open_url()
Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-26 14:48:13 -08:00
Aman Gupta
207e98b4e5 avformat/hls: fix SEGV in previous commit
Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-24 12:31:27 -08:00
Aman Gupta
b33cf73507 avformat/hls: fix memory leak with non-http segments
Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-24 11:59:32 -08:00
Aman Gupta
3d95868d1b avformat/hls: fix CID 1426930
Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-24 11:58:30 -08:00
Aman Gupta
5f4a32a6e3 avformat/hls: hide misleading warning when http reconnect is required
AVERROR_EOF is an internal error which means the http socket is no longer
valid for new requests. It informs the caller that a new connection must
be established, and as such does not need to be surfaced to the user as
a warning.

Signed-off-by: Aman Gupta <aman@tmm1.net>
2017-12-22 16:41:41 -08:00
Aman Gupta
1f0eaa02aa avformat/hls: add http_multiple option
This improves network throughput of the hls demuxer by avoiding
the latency introduced by downloading segments one at a time.

The problem is particularly noticable over high-latency network
connections: for instance, if RTT is 250ms, there will a 250ms idle
period between when one segment response is read and the next one
starts.

The obvious solution to this is to use HTTP pipelining, where a
second request can be sent (on the persistent http/1.1 connection)
before the first response is fully read. Unfortunately the way the
http protocol is implemented in avformat makes implementing pipleining
very complex.

Instead, this commit simulates pipelining using two separate persistent
http connections. This has the advantage of working independently of
the http_persistent option, and can be used with http/1.0 servers as
well. The pair of connections is swapped every time a new segment starts
downloading, and a request for the next segment is sent on the secondary
connection right away. This means the second response will be ready and
waiting by the time the current response is fully read.

Signed-off-by: Aman Gupta <aman@tmm1.net>
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2017-12-22 14:42:50 -08:00
Aman Gupta
03765aa6fa avformat/hls: allow open_input to be re-used
Signed-off-by: Aman Gupta <aman@tmm1.net>
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2017-12-22 14:42:50 -08:00
Aman Gupta
b7d6c0cd48 avformat/hls: add http_persistent option
This teaches the HLS demuxer to use the HTTP protocols
multiple_requests=1 option, to take advantage of "Connection:
Keep-Alive" when downloading playlists and segments from the HLS server.

With the new option, you can avoid TCP connection and TLS negotiation
overhead, which is particularly beneficial when streaming via a
high-latency internet connection.

Similar to the http_persistent option recently implemented in hlsenc.c

Signed-off-by: Aman Gupta <aman@tmm1.net>
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2017-12-22 14:42:50 -08:00
Anssi Hannula
143552095d avformat/hls: Obey AVProgram discard flags
Currently HLS demuxer only obeys AVStream discard flags but not
AVProgram (which bandwidth variants appear as) discard flags.

Fix that.
2017-11-28 12:47:42 +02:00
Anssi Hannula
1dff9adcb9 avformat/hls: Factor playlist need check to a common function 2017-11-28 12:30:31 +02:00
James Almer
318778de9e Merge commit 'fd9212f2edfe9b107c3c08ba2df5fd2cba5ab9e3'
* commit 'fd9212f2edfe9b107c3c08ba2df5fd2cba5ab9e3':
  Mark some arrays that never change as const.

Merged-by: James Almer <jamrial@gmail.com>
2017-09-26 16:02:40 -03:00
Michael Niedermayer
7ec414892d avformat/hls: Fix DoS due to infinite loop
Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team

Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-27 19:19:00 +02:00
Michael Niedermayer
189ff42196 avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-05 13:55:01 +02:00
Michael Niedermayer
c0702ab830 Revert "avformat/hls: Check local file extensions"
Requested-by: Paul B Mahol <onemda@gmail.com>
This reverts commit caf7d6178a.
2017-06-05 13:55:01 +02:00
Sysiphus
caf7d6178a avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-05 03:03:11 +02:00
Micah Galizia
c4c73020f4 libavformat/hls: Observe Set-Cookie headers
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-29 02:00:08 +02:00
Clément Bœsch
ef01061225 lavf/hls: do not transfer custom IO flag
See 0dcac9c3f0
2017-05-22 17:31:32 +02:00
Jan Berkel
aff80aa4ec hls: consistent use of user_agent
This came up while debugging a problem with mpv:
https://github.com/mpv-player/mpv/issues/4155

Signed-off-by: wm4 <nfxjfg@googlemail.com>
2017-03-23 12:51:21 +01:00
wm4
597c6b789e hls: pass AVFormatContext flags to sub demuxer 2017-03-09 16:24:00 +01:00
Anton Khirnov
fd9212f2ed Mark some arrays that never change as const. 2017-02-01 10:42:59 +01:00
Andreas Cadhalpun
2c90316b46 hls: fix leaking avio_opts on hls_read_header error
Use the hls_close function to reduce code duplication.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-07 19:44:41 +01:00
Andreas Cadhalpun
a305e0e5c0 hls: move hls_close above hls_read_header
This is needed for the following commit.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-07 19:43:43 +01:00
Anssi Hannula
e2193b53ea avformat/hls: Add missing error check for avcodec_parameters_copy()
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
3d2f636497 avformat/hls: Fix probing mpegts audio streams that use probing
Commit 04964ac311 ("avformat/hls: Fix missing streams in some
cases with MPEG TS") caused a regression where subdemuxer streams that
use probing (e.g. dts/eac3/mp2 in mpegts) no longer get probed properly.

This is because the codec parameters from the subdemuxer stream, once
probed, are not passed on to the main stream.

Fix that by updating the codec parameters if the codec id changes.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
9a51cd35b8 avformat/hls: Factor copying stream info to a separate function
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
a6f5e25ad9 avformat/hls: Fix handling of EXT-X-BYTERANGE streams over 2GB
Replace uses of atoi() with strtoll() when trying to read values into
int64_t variables.

Fixes Kodi trac #16926:
http://trac.kodi.tv/ticket/16926
2016-09-24 09:46:32 +03:00
Anssi Hannula
04964ac311 avformat/hls: Fix missing streams in some cases with MPEG TS
HLS demuxer calls the subdemuxer avformat_find_stream_info() while
overriding the subdemuxer AVFMTCTX_NOHEADER flag by clearing it.
However, this prevents some streams in some MPEG TS streams from being
detected properly.

Simply removing the clearing of the flag would cause the inner
avformat_find_stream_info() call to take longer in some cases, without
a way to control it.

To fix the issue, do not clear the flag but propagate it to HLS demuxer.
To avoid the above-mentioned mandatory delay, the call to
avformat_find_stream_info() is dropped except in the HLS ID3 timestamped
case. The HLS demuxer user should be calling avformat_find_stream_info()
on the HLS demuxer if it wants to find the stream info.

The main streams are now created dynamically after read_header time if
the subdemuxer uses AVFMTCTX_NOHEADER (mpegts).

Subdemuxer avformat_find_stream_info() is still called for the HLS ID3
timestamped case as the HLS demuxer needs to know the packet durations
to properly interleave ID3 timestamped streams with MPEG TS streams on
sub-segment level.

Fixes ticket #4930.
2016-07-28 01:24:57 +03:00
Anssi Hannula
83db3c84fa avformat/hls: Move stream propagation to a separate function
Creation of main demuxer streams from subdemuxer streams is moved to
update_streams_from_subdemuxer() which can be called repeatedly.

There should be no functional changes.
2016-07-28 01:24:57 +03:00
Anssi Hannula
9884f17e34 avformat/hls: Use an array instead of stream offset for stream mapping
This will be useful when the amount of streams per subdemuxer is not
known at hls_read_header time in a following commit.
2016-07-28 01:24:57 +03:00
Anssi Hannula
4d85069e5d avformat/hls: Sync starting segment across variants on live streams
This will avoid a large time difference between variants in the most
common case.
2016-07-28 01:24:57 +03:00
Anssi Hannula
9cb30f7a88 avformat/hls: Fix regression with ranged media segments
Commit 81306fd4bdf ("hls: eliminate ffurl_* usage", merged in d0fc5de3a6)
changed the hls demuxer to use AVIOContext instead of URLContext for its
HTTP requests.

HLS demuxer uses the "offset" option of the http demuxer, requesting
the initial file offset for the I/O (http URLProtocol uses the "Range:"
HTTP header to try to accommodate that).

However, the code in libavformat/aviobuf.c seems to be doing its own
accounting for the current file offset (AVIOContext.pos), with the
assumption that the initial offset is always zero.

HLS demuxer does an explicit seek after open_url to account for cases
where the "offset" was not effective (due to the URL being a local file
or the HTTP server not obeying it), which should be a no-op in case the
file offset is already at that position.

However, since aviobuf.c code thinks the starting offset is 0, this
doesn't work properly.

This breaks retrieval of ranged media segments.

To fix the regression, just drop the seek call from the HLS demuxer when
the HTTP(S) protocol is used.
2016-07-28 01:24:57 +03:00
Clément Bœsch
8df1dbd798 Merge commit '5afb94c817abffad030c6b94d7003dca8aace3d5'
* commit '5afb94c817abffad030c6b94d7003dca8aace3d5':
  Mark read-only tables as static

Merged-by: Clément Bœsch <u@pkh.me>
2016-06-21 22:09:35 +02:00
Diego Biurrun
5afb94c817 Mark read-only tables as static 2016-05-05 10:48:34 +02:00
Derek Buitenhuis
6f69f7a8bf Merge commit '9200514ad8717c63f82101dc394f4378854325bf'
* commit '9200514ad8717c63f82101dc394f4378854325bf':
  lavf: replace AVStream.codec with AVStream.codecpar

This has been a HUGE effort from:
    - Derek Buitenhuis <derek.buitenhuis@gmail.com>
    - Hendrik Leppkes <h.leppkes@gmail.com>
    - wm4 <nfxjfg@googlemail.com>
    - Clément Bœsch <clement@stupeflix.com>
    - James Almer <jamrial@gmail.com>
    - Michael Niedermayer <michael@niedermayer.cc>
    - Rostislav Pehlivanov <atomnuker@gmail.com>

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-04-10 20:59:55 +01:00
Hendrik Leppkes
eae2d89bf7 hls: handle crypto in the protocol checks
Fixes issue 5248
2016-03-16 10:31:41 +01:00
Hendrik Leppkes
0d4b8a2c16 hls: read protocol options through the AVIOContext
This reverts commit 9f9ed79d4c.

The hlsopts member was never set anywhere and always NULL, furthermore
the HLS demuxer needs to retrieve the proper options from the underlying
http protocol (cookies, user-agent, etc), so a dummy context won't help.

Instead, use the AVIOContext directly to access the options.
2016-03-16 10:31:36 +01:00
Derek Buitenhuis
93629735d7 avformat: Add a protocol blacklisting API
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-03-04 16:13:42 +00:00
Derek Buitenhuis
9f9ed79d4c hls: Add and use a memebr of AVIOInternal rather than abuse opaque
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-29 20:10:11 +00:00
Derek Buitenhuis
f1e7c42f08 Merge commit '225e84e74544062706c0159ec0737b0e1d40915f'
* commit '225e84e74544062706c0159ec0737b0e1d40915f':
  hls: disallow opening nested files in child demuxers

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-29 15:50:32 +00:00
Anton Khirnov
9200514ad8 lavf: replace AVStream.codec with AVStream.codecpar
Currently, AVStream contains an embedded AVCodecContext instance, which
is used by demuxers to export stream parameters to the caller and by
muxers to receive stream parameters from the caller. It is also used
internally as the codec context that is passed to parsers.

In addition, it is also widely used by the callers as the decoding (when
demuxer) or encoding (when muxing) context, though this has been
officially discouraged since Libav 11.

There are multiple important problems with this approach:
    - the fields in AVCodecContext are in general one of
        * stream parameters
        * codec options
        * codec state
      However, it's not clear which ones are which. It is consequently
      unclear which fields are a demuxer allowed to set or a muxer allowed to
      read. This leads to erratic behaviour depending on whether decoding or
      encoding is being performed or not (and whether it uses the AVStream
      embedded codec context).
    - various synchronization issues arising from the fact that the same
      context is used by several different APIs (muxers/demuxers,
      parsers, bitstream filters and encoders/decoders) simultaneously, with
      there being no clear rules for who can modify what and the different
      processes being typically delayed with respect to each other.
    - avformat_find_stream_info() making it necessary to support opening
      and closing a single codec context multiple times, thus
      complicating the semantics of freeing various allocated objects in the
      codec context.

Those problems are resolved by replacing the AVStream embedded codec
context with a newly added AVCodecParameters instance, which stores only
the stream parameters exported by the demuxers or read by the muxers.
2016-02-23 17:01:58 +01:00
Anton Khirnov
225e84e745 hls: disallow opening nested files in child demuxers 2016-02-22 11:30:33 +01:00
Michael Niedermayer
58f21b6c93 avformat/hls: fix potential integer overflow
This is not a regression

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-02-16 21:46:00 +01:00
Derek Buitenhuis
d0fc5de3a6 Merge commit '81306fd4bdeb5c17d4db771e4fec684773b5790f'
* commit '81306fd4bdeb5c17d4db771e4fec684773b5790f':
  hls: eliminate ffurl_* usage

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-16 16:27:14 +00:00
Derek Buitenhuis
bc9a5965c8 Merge commit '9f61abc8111c7c43f49ca012e957a108b9cc7610'
This also deprecates our old duplicated callbacks.

* commit '9f61abc8111c7c43f49ca012e957a108b9cc7610':
  lavf: allow custom IO for all files

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-10 14:42:41 +00:00
Michael Niedermayer
fe3fed0b14 Update demuxers and protocols for protocol whitelist support
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-02-02 04:16:50 +01:00