1 files changed, 94 insertions, 0 deletions

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
new file mode 100644
index 0000000000..95803cef55
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
@@ -0,0 +1,94 @@
+From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 26 Aug 2017 01:26:58 +0200
+Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop
+
+Fixes: loop.m3u
+
+The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
+
+Found-by: Xiaohei and Wangchu from Alibaba Security Team
+
+Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2017-14058
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ doc/demuxers.texi | 18 ++++++++++++++++++
+ libavformat/hls.c |  7 +++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/doc/demuxers.texi b/doc/demuxers.texi
+index 29a23d4..73dc0fe 100644
+--- a/doc/demuxers.texi
++++ b/doc/demuxers.texi
+@@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file,
+ which in this case is @file{input.mp4} as the GIF in this example loops
+ infinitely.
+ 
++@section hls
++
++HLS demuxer
++
++It accepts the following options:
++
++@table @option
++@item live_start_index
++segment index to start live streams at (negative values are from the end).
++
++@item allowed_extensions
++',' separated list of file extensions that hls is allowed to access.
++
++@item max_reload
++Maximum number of times a insufficient list is attempted to be reloaded.
++Default value is 1000.
++@end table
++
+ @section image2
+ 
+ Image file demuxer.
+diff --git a/libavformat/hls.c b/libavformat/hls.c
+index 01731bd..0995345 100644
+--- a/libavformat/hls.c
++++ b/libavformat/hls.c
+@@ -205,6 +205,7 @@ typedef struct HLSContext {
+     AVDictionary *avio_opts;
+     int strict_std_compliance;
+     char *allowed_extensions;
++    int max_reload;
+ } HLSContext;
+ 
+ static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
+@@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
+     HLSContext *c = v->parent->priv_data;
+     int ret, i;
+     int just_opened = 0;
++    int reload_count = 0;
+ 
+ restart:
+     if (!v->needed)
+@@ -1294,6 +1296,9 @@ restart:
+         reload_interval = default_reload_interval(v);
+ 
+ reload:
++        reload_count++;
++        if (reload_count > c->max_reload)
++            return AVERROR_EOF;
+         if (!v->finished &&
+             av_gettime_relative() - v->last_load_time >= reload_interval) {
+             if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
+@@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = {
+         OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+         {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+         INT_MIN, INT_MAX, FLAGS},
++    {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
++        OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
+     {NULL}
+ };
+ 
+-- 
+2.1.0
+