1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Commit Graph

112 Commits

Author SHA1 Message Date
Michael Niedermayer
e447d3143f avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff42196)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-05 23:16:54 +02:00
Michael Niedermayer
28f89bc439 avformat/hls: Even stricter URL checks
This fixes a null pointer dereference at least

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cfda1bea4c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-15 15:49:35 +01:00
Michael Niedermayer
23b903aaf4 avformat/hls: More strict url checks
No case is known where these are needed

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ba42b6482)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-15 14:17:28 +01:00
Maxim Andreev
b7d54d6e07 avformat/hls: forbid all protocols except http(s) & file
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7145e80b4f)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-15 12:30:40 +01:00
Lucas de Andrade
fcb8ee98f6 avformat/hls: update cookies on setcookie response
Context cookies must be updated when a playlist response return Setcookie header.

See: 770dd10504
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-10-30 18:12:30 +01:00
Anssi Hannula
68a6178ef0 avformat/hls: add support for EXT-X-MAP
Without EXT-X-MAP support we miss the first bytes of some streams.

These streams worked by luck before byte-ranged segment support was added in
da7759b357

Fixes ticket #4797.
(cherry picked from commit 9099079488)

Conflicts:
	libavformat/hls.c
2015-10-15 14:27:20 +02:00
Anssi Hannula
d51ddd45b2 avformat/hls: fix segment selection regression on track changes of live streams
Commit ad701326b4 ("avformat/hls: open playlists immediately when
AVDISCARD_ALL is dropped") inadvertently caused first_packet to never be
cleared, causing select_cur_seq_no() to not use the specific code for
live streams.

In practice this means that when the user selects a different audio
track during live stream (i.e. non-VOD) playback, there may be some
additional delay as the code might select an incorrect segment at first,
and we have to wait for video to catch audio (if too late segment was
selected) or to download more following audio segments (if too early
segment was selected).

Fix that by restoring the zeroing of first_packet.
(cherry picked from commit fd74d45d51)
2015-10-15 14:21:29 +02:00
Andreas Cadhalpun
173053a125 hls: only seek if there is an offset
If there is no #EXT-X-BYTERANGE specified, there is no need to seek.
Seeking fails anyway for rtmp, because this protocol does not support
url_seek.

This fixes CNN.m3u from trac ticket 4797 (i.e. Debian bug #798189).

Reviewed-by: wm4 <nfxjfg@googlemail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f9f0b4c08e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-10-12 21:46:54 +02:00
wm4
b9841ba98c avformat/hls: fix some cases of HLS streams which require cookies
Broken by commit ba12ba859a. This only
happens with HLS streams which use encryption and require preserving
cookies sent by the server.

Fixes trac issue #4846.
(cherry picked from commit 26eb294007)
2015-10-09 21:14:23 +02:00
Michael Niedermayer
4eca1939ef avformat/hls: Check for av_opt_set_dict() failure
Fixes: CID1320426

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-09-05 14:28:08 +02:00
Ganesh Ajjanagadde
5edf8b118d avformat/hls: correct comment for ensure_playlist()
Comment was previously slightly incorrect.
Also, it was placed in the wrong location.

Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-08-21 14:21:10 +02:00
Ronald S. Bultje
6471040f56 FF_OPT_TYPE_* -> AV_OPT_TYPE_*. 2015-08-18 11:48:49 -04:00
Michael Niedermayer
ba12ba859a Merge commit '0c73a5a53cc97f4291bbe9e1e68226edf6161744'
* commit '0c73a5a53cc97f4291bbe9e1e68226edf6161744':
  hls: Save and forward avio options

Conflicts:
	libavformat/hls.c

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-30 17:52:23 +02:00
Luca Barbato
0c73a5a53c hls: Save and forward avio options
Make possible to send the custom headers and override the user agent.

Reported-by: BenWonder
2015-07-30 11:21:26 +02:00
Michael Niedermayer
29d147c94d Merge commit '059a934806d61f7af9ab3fd9f74994b838ea5eba'
* commit '059a934806d61f7af9ab3fd9f74994b838ea5eba':
  lavc: Consistently prefix input buffer defines

Conflicts:
	doc/examples/decoding_encoding.c
	libavcodec/4xm.c
	libavcodec/aac_adtstoasc_bsf.c
	libavcodec/aacdec.c
	libavcodec/aacenc.c
	libavcodec/ac3dec.h
	libavcodec/asvenc.c
	libavcodec/avcodec.h
	libavcodec/avpacket.c
	libavcodec/dvdec.c
	libavcodec/ffv1enc.c
	libavcodec/g2meet.c
	libavcodec/gif.c
	libavcodec/h264.c
	libavcodec/h264_mp4toannexb_bsf.c
	libavcodec/huffyuvdec.c
	libavcodec/huffyuvenc.c
	libavcodec/jpeglsenc.c
	libavcodec/libxvid.c
	libavcodec/mdec.c
	libavcodec/motionpixels.c
	libavcodec/mpeg4videodec.c
	libavcodec/mpegvideo.c
	libavcodec/noise_bsf.c
	libavcodec/nuv.c
	libavcodec/nvenc.c
	libavcodec/options.c
	libavcodec/parser.c
	libavcodec/pngenc.c
	libavcodec/proresenc_kostya.c
	libavcodec/qsvdec.c
	libavcodec/svq1enc.c
	libavcodec/tiffenc.c
	libavcodec/truemotion2.c
	libavcodec/utils.c
	libavcodec/utvideoenc.c
	libavcodec/vc1dec.c
	libavcodec/wmalosslessdec.c
	libavformat/adxdec.c
	libavformat/aiffdec.c
	libavformat/apc.c
	libavformat/apetag.c
	libavformat/avidec.c
	libavformat/bink.c
	libavformat/cafdec.c
	libavformat/flvdec.c
	libavformat/id3v2.c
	libavformat/isom.c
	libavformat/matroskadec.c
	libavformat/mov.c
	libavformat/mpc.c
	libavformat/mpc8.c
	libavformat/mpegts.c
	libavformat/mvi.c
	libavformat/mxfdec.c
	libavformat/mxg.c
	libavformat/nutdec.c
	libavformat/oggdec.c
	libavformat/oggparsecelt.c
	libavformat/oggparseflac.c
	libavformat/oggparseopus.c
	libavformat/oggparsespeex.c
	libavformat/omadec.c
	libavformat/rawdec.c
	libavformat/riffdec.c
	libavformat/rl2.c
	libavformat/rmdec.c
	libavformat/rtpdec_latm.c
	libavformat/rtpdec_mpeg4.c
	libavformat/rtpdec_qdm2.c
	libavformat/rtpdec_svq3.c
	libavformat/sierravmd.c
	libavformat/smacker.c
	libavformat/smush.c
	libavformat/spdifenc.c
	libavformat/takdec.c
	libavformat/tta.c
	libavformat/utils.c
	libavformat/vqf.c
	libavformat/westwood_vqa.c
	libavformat/xmv.c
	libavformat/xwma.c
	libavformat/yop.c

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-27 23:15:19 +02:00
schenk michael
b9161ef052 avformat/hls: do not iterate to next sequence number if interruption is requested
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-06-26 14:36:25 +02:00
Michael Niedermayer
7a27aa15ec avformat/hls: Handle read_buffer allocation failure
Fixes CID1297576

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-05-12 19:03:18 +02:00
wm4
e2691b8092 hls: skip to next segment if the current is unavailable
Apparently, some live streams can delete segments too early, maybe
because the client is too far behind. In this case, it's better to skip
the segment, instead of returning EOF. (Yes, the HLS demuxer actually
returns AVERROR_EOF if opening the segment returns a 404 HTTP error.)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-04-17 22:54:17 +02:00
Rodger Combs
bcf44c91c3 libavformat/hls: add an option to start from a given segment in a live stream
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-03-29 13:34:15 +02:00
Micah Galizia
fca0851879 avformat/hls: refactor repeated HLS option updates
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-03-16 13:01:39 +01:00
Micah Galizia
7859618aff avformat/hls: store cookies returned in HLS key response
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-03-16 01:57:01 +01:00
selsta
6c8a158989 hls: detect SAMPLE-AES encryption
SAMPLE-AES encryption is not commonly used yet, but without this patch
ffmpeg is thinking that the hls segments are not encrypted which
produces broken files.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-03-05 23:08:38 +01:00
wm4
4bf3fab281 hls: fix a null pointer dereference
Not allocating the pls->ctx will crash in libavformat/hls.c:1410, where
it tries to dereference the field.

Sample: http://ec24.rtp.pt/liverepeater/rtpn.smil/playlist.m3u8

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-02-16 19:59:04 +01:00
Michael Niedermayer
4641ae352e avformat: Add and use ff_copy_whitelists()
Fixes potential security issue in case of running out of memory

Found-by: ubitux
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-10-24 19:23:23 +02:00
Michael Niedermayer
2c5ae57776 Merge commit '6df9d9b55d3f56ee7782639a7678eeeaf77f14ea'
* commit '6df9d9b55d3f56ee7782639a7678eeeaf77f14ea':
  lavf: Use av_gettime_relative

Conflicts:
	libavformat/hls.c

See: f78bc96b7c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-10-24 12:40:36 +02:00
Martin Storsjö
6df9d9b55d lavf: Use av_gettime_relative
The ones left using av_gettime are NTP timestamps (for RTCP,
which is specified to send the actual current realtime clock
in RTCP SR packets), and the NUT muxer timestamper, which is
documented as using wallclock time.

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-10-24 09:53:45 +03:00
Michael Niedermayer
24cd4e5071 avformat/hls: forward whitelists to mpegts demuxer
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-10-23 15:26:46 +02:00
Michael Niedermayer
0026c4ecfd avformat/hls: use av_freep(), do not leave stale pointers in memory
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-10-07 04:29:27 +02:00
Reimar Döffinger
a0941c8a2b Use new av_dict_set_int helper function.
Get rid of the many, slightly differing, implementations
of basically the same thing.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
2014-08-16 14:31:41 +02:00
James Almer
d34ec64a22 replace calls to url_feof() with avio_feof()
Signed-off-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-08-08 00:48:38 +02:00
Michael Schenk
513a431e07 avformat/hls: reduce memory usage by using dynamically allocated url/key
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-12 03:14:52 +03:00
Anssi Hannula
39b192b8e1 avformat/hls: do not call ffurl_seek/ffurl_size on crypto protocol
ffurl_seek() will not work even when it should be a no-op, so do not
call it on crypto protocol.

Also replace use of ffurl_size() for the same reason.

Reported-by: Michael Schenk <Michael.Schenk@albistechnologies.com>
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-11 00:04:34 +03:00
Vladlen Y. Koshelev
cdbd9e218d avformat/hls: support for seeking on event playlists
This allows clients to seek between first played segment
and the last one in the live stream playlist with #EXT-X-PLAYLIST-TYPE:EVENT attribute.
2014-04-06 17:55:04 +03:00
Anssi Hannula
f29cb45bf2 avformat/hls: flush the subdemuxer when seeking
Since we are basically seeking the AVIOContext under the subdemuxer, we
need to flush the subdemuxer to avoid old packets from being read from
the packet queue after the seek.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:04 +03:00
Anssi Hannula
9aa0606e87 avformat/hls: properly take stream_index into account when seeking
Properly take stream_index into account so that a keyframe will be
looked for in the specified stream_index only.

Similarly, only check timestamp validity against the specified
stream_index.

Also remove code for stream_index == -1 case which does not actually
happen as it is handled by generic code.

This is based on an initial patch by James Deng.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:04 +03:00
Anssi Hannula
ad701326b4 avformat/hls: open playlists immediately when AVDISCARD_ALL is dropped
Do not try to delay opening newly required playlists until a segment
switch. Applications expect that newly selected undiscarded streams are
available immediately, especially with alternative rendition streams
(selectable audio/subtitle tracks).

One might think that delaying variant stream switch until a segment
switch would allow a "seamless" switch without us having to download a
specific segment from two different variant playlists. However, that is
not the case, since the application would have to keep the previous
stream available (undiscarded) until the first packet of the newly
selected stream arrives, but by that time the demuxer would have already
downloaded the next segment of both variants.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:04 +03:00
Anssi Hannula
05ce529a59 avformat/hls: factor identical playlist allocations out of parse_playlist
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
6b4b73e75d avformat/hls: do not use sequence numbers for packet ordering
As per spec 3.4.3 ("A client MUST NOT assume that segments with the same
sequence number in different Media Playlists contain matching content.")
we cannot use sequence numbers for packet ordering.

This can be seen e.g. in the subtitle streams of
bipbop_16x9_variant.m3u8 that have considerably longer segments and
therefore different numbering.

Since the code now exclusively syncs using timestamps that may wrap, add
some additional checking for that.

According to the HLS spec all the timestamps should be in 33-bit MPEG
format and synced together.

v2: cleaner wrap detection
v3: further wrap detection improvements

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
8fd6875c83 avformat/hls: do not care about stream start timestamps
While selecting a packet to return to caller in read_packet(), the code
corrects the timestamps for starting timestamps.

However, this is wrong, since for live streams the initial timestamps
might differ just because of the time delay between the retrieval of the
various Media Playlists.

Fortunately, spec 6.2.4 mandates that all variant streams must have
matching timestamps, so we do not need to correct for initial
timestamps.

Drop the correction code.

Note that ID3 timestamps were previously ignored, so this code was
previously actually needed.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
d549b0910c avformat/hls: avoid unnecessary segment retrievals
Check if the playlist is still needed just before requesting the next
segment instead of after exhausting the previous segment.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
4e85202bcc avformat/hls: improve segment selection when restarting list reception
Improve selection of the segment sequence number when restarting the
reception of a playlist after it was suspended due to being unneeded
(due to discard flags).

The current code assumes that each playlist contains matching data with
the same sequence number, while spec 3.4.3 specifically says that that
is not the case. Often subtitle playlists also have longer target
durations as well, causing the selection to be completely wrong.

Instead prefer using the playlist segment duration information for
non-live playlists, and other means if that is not possible.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
61e1a70278 avformat/hls: track seeking on a per-playlist basis
Seeking needs to be tracked on a per-playlist basis, since the resyncing
code in hls_read_packet() has to sync each playlist to the seek
timestamp instead of stopping after the first playlist has reached it.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
01b184e68d avformat/hls: parse ID3 timestamps for elementary audio streams
HLS provides MPEG TS timestamps via ID3 tags in the beginning of each
segment of elementary audio streams.

v2: fix issues with streams that have multiple ID3 tags

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
1cb8d986b8 avformat/hls: split read_from_url() out of read_data()
Useful for ID3 parsing.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:03 +03:00
Anssi Hannula
f7c7fc1369 avformat/hls: add some logging messages
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:02 +03:00
Anssi Hannula
da7759b357 avformat/hls: add support for byte-ranged segments
Add support for EXT-X-BYTERANGE added in HLS protocol v4.

v2: Better comment explaining ffurl_seek call and fix cur_seg_offset not
being updated.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:02 +03:00
Anssi Hannula
cc1162d775 avformat/hls: always return EOF for unneeded playlist streams
Even if we returned AVERROR_EOF previously due to playlist no longer
being needed, we may still be called again, and we do not want to
trigger a segment download in that case.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:02 +03:00
Anssi Hannula
edf4406c4d avformat/hls: add support for alternative renditions
HLS protocol version 4 added alternative renditions to the
specification (e.g. alternative audio tracks).

The EXT-X-MEDIA tags can also contain metadata for "renditions" (i.e.
tracks) of the main Media Playlist.

Add support for those.

Note that the same rendition (AVStream) may be associated with multiple
variants (AVPrograms).

Alternative subtitle tracks will require additional work and are
therefore not enabled yet.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-04-06 17:55:02 +03:00
Mikael Finstad
5846d8a91e avformat/hls: Fix cookies and user agent with encrypted HLS streams
Session data (cookies, user-agent) is not being sent on payload requests with
encrypted HLS streams This causes services like Akamai to give a 403 forbidden
when requesting the TS files, because they expect the same cookies
and user-agent on all requests
2014-01-28 18:50:58 +01:00
Anssi Hannula
9371d70bad avformat/hls: decouple playlists from variants
Not all "sub-playlists" are variant playlists (containing the same
content with a different bitrate, etc) in the current version of the HLS
specification. They can now also be alternative renditions, containing
e.g. alternative audio tracks etc.

Decouple playlists from variants to prepare for handling the new
features.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2014-01-03 15:05:48 +02:00