Commit c9c7263e authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/mov: Fix opening relative references

Possibly fixes Ticket4671

the removed check is wrong and insufficient

Based on patch by Maksym Veremeyenko <verem@m1.tv>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent bfd17046
...@@ -2708,7 +2708,7 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr ...@@ -2708,7 +2708,7 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
/* try relative path, we do not try the absolute because it can leak information about our /* try relative path, we do not try the absolute because it can leak information about our
system to an attacker */ system to an attacker */
if (ref->nlvl_to > 0 && ref->nlvl_from > 0 && ref->path[0] != '/') { if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
char filename[1025]; char filename[1025];
const char *src_path; const char *src_path;
int i, l; int i, l;
...@@ -2739,7 +2739,10 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr ...@@ -2739,7 +2739,10 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
av_strlcat(filename, ref->path + l + 1, sizeof(filename)); av_strlcat(filename, ref->path + l + 1, sizeof(filename));
if (!c->use_absolute_path && !c->fc->open_cb) if (!c->use_absolute_path && !c->fc->open_cb)
if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) if(strstr(ref->path + l + 1, "..") ||
strstr(ref->path + l + 1, ":") ||
ref->nlvl_from > 1 ||
(filename[0] == '/' && src_path == src))
return AVERROR(ENOENT); return AVERROR(ENOENT);
if (strlen(filename) + 1 == sizeof(filename)) if (strlen(filename) + 1 == sizeof(filename))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment