Commit 984d58a3 authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/avio: Limit url option parsing to the documented cases

This feature is not know much or used much AFAIK, and it might be helpfull in
exploits.
No specific case is known where it can be used in an exploit though
subsequent commits depend on this commit though
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent d96f0fbe
...@@ -156,8 +156,15 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up, ...@@ -156,8 +156,15 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up,
char sep= *++p; char sep= *++p;
char *key, *val; char *key, *val;
p++; p++;
if (strcmp(up->name, "subfile"))
ret = AVERROR(EINVAL);
while(ret >= 0 && (key= strchr(p, sep)) && p<key && (val = strchr(key+1, sep))){ while(ret >= 0 && (key= strchr(p, sep)) && p<key && (val = strchr(key+1, sep))){
*val= *key= 0; *val= *key= 0;
if (strcmp(p, "start") && strcmp(p, "end")) {
ret = AVERROR_OPTION_NOT_FOUND;
} else
ret= av_opt_set(uc->priv_data, p, key+1, 0); ret= av_opt_set(uc->priv_data, p, key+1, 0);
if (ret == AVERROR_OPTION_NOT_FOUND) if (ret == AVERROR_OPTION_NOT_FOUND)
av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p); av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p);
...@@ -243,7 +250,7 @@ static struct URLProtocol *url_find_protocol(const char *filename) ...@@ -243,7 +250,7 @@ static struct URLProtocol *url_find_protocol(const char *filename)
size_t proto_len = strspn(filename, URL_SCHEME_CHARS); size_t proto_len = strspn(filename, URL_SCHEME_CHARS);
if (filename[proto_len] != ':' && if (filename[proto_len] != ':' &&
(filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, ':')) ||
is_dos_path(filename)) is_dos_path(filename))
strcpy(proto_str, "file"); strcpy(proto_str, "file");
else else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment