ffmpeg: fix multiple CVEs

CVE-2023-6605: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs. CVE-2023-6604: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation. CVE-2023-6602: flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. (From OE-Core rev: aa68992ddc5744bb4fdbb3a3cd0636b303449be2) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-09-05 11:10:44 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-09-12 09:24:24 -0700
commit: e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c (patch)
tree: 5e8484692d2d483de18a18f1583e3db27b310741
parent: 4415ab156050df66020ac4c79ec99b42cbc3b102 (diff)
download: poky-e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c.tar.gz
4 files changed, 269 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
new file mode 100644
index 0000000000..2b28eeada5
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
@@ -0,0 +1,79 @@
+From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 15 May 2023 00:54:50 +0200
+Subject: [PATCH] avformat: add ff_match_url_ext()
+Match url against a list of extensions similar to av_match_ext()
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/format.c   | 25 +++++++++++++++++++++++++
+ libavformat/internal.h |  9 +++++++++
+ 2 files changed, 34 insertions(+)
+diff --git a/libavformat/format.c b/libavformat/format.c
+index 52b85c1..5e057d7 100644
+--- a/libavformat/format.c
+++ b/libavformat/format.c
+@@ -48,6 +48,31 @@ int av_match_ext(const char *filename, const char *extensions)
+     return 0;
+ }
+int ff_match_url_ext(const char *url, const char *extensions)
+{
+    const char *ext;
+    URLComponents uc;
+    int ret;
+    char scratchpad[128];
+
+    if (!url)
+        return 0;
+
+    ret = ff_url_decompose(&uc, url, NULL);
+    if (ret < 0 || !URL_COMPONENT_HAVE(uc, scheme))
+        return ret;
+    for (ext = uc.query; *ext != '.' && ext > uc.path; ext--)
+        ;
+
+    if (*ext != '.')
+        return 0;
+    if (uc.query - ext > sizeof(scratchpad))
+        return AVERROR(ENOMEM); //not enough memory in our scratchpad
+    av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext));
+
+    return av_match_name(scratchpad, extensions);
+}
+
+ const AVOutputFormat *av_guess_format(const char *short_name, const char *filename,
+                                       const char *mime_type)
+ {
+diff --git a/libavformat/internal.h b/libavformat/internal.h
+index bffb8e6..584b979 100644
+--- a/libavformat/internal.h
+++ b/libavformat/internal.h
+@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void);
+  */
+ void ff_format_set_url(AVFormatContext *s, char *url);
+/**
+ * Return a positive value if the given url has one of the given
+ * extensions, negative AVERROR on error, 0 otherwise.
+ *
+ * @param url        url to check against the given extensions
+ * @param extensions a comma-separated list of filename extensions
+ */
+int ff_match_url_ext(const char *url, const char *extensions);
+
+ void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]);
+ /**
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
new file mode 100644
index 0000000000..1ba1006197
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
@@ -0,0 +1,142 @@
+From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Thu, 16 Jan 2025 01:28:46 +0100
+Subject: [PATCH] avformat/hls: Be more picky on extensions
+This blocks disallowed extensions from probing
+It also requires all available segments to have matching extensions to the format
+mpegts is treated independent of the extension
+It is recommended to set the whitelists correctly
+instead of depending on extensions, but this should help a bit,
+and this is easier to backport
+Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
+Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
+The other parts of CVE-2023-6602 have been fixed by prior commits
+Found-by: Harvey Phillips of Amazon Element55 (element55)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ doc/demuxers.texi |  7 +++++++
+ libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+)
+diff --git a/doc/demuxers.texi b/doc/demuxers.texi
+index 26ae768..6e0b25e 100644
+--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
+@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end).
+ @item allowed_extensions
+ ',' separated list of file extensions that hls is allowed to access.
+@item extension_picky
+This blocks disallowed extensions from probing
+It also requires all available segments to have matching extensions to the format
+except mpegts, which is always allowed.
+It is recommended to set the whitelists correctly instead of depending on extensions
+Enabled by default.
+
+ @item max_reload
+ Maximum number of times a insufficient list is attempted to be reloaded.
+ Default value is 1000.
+diff --git a/libavformat/hls.c b/libavformat/hls.c
+index d5e9b21..e1bb677 100644
+--- a/libavformat/hls.c
+++ b/libavformat/hls.c
+@@ -214,6 +214,7 @@ typedef struct HLSContext {
+     AVDictionary *avio_opts;
+     AVDictionary *seg_format_opts;
+     char *allowed_extensions;
+    int extension_picky;
+     int max_reload;
+     int http_persistent;
+     int http_multiple;
+@@ -716,6 +717,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
+     return ret;
+ }
+static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg)
+{
+    HLSContext *c = s->priv_data;
+    int matchA = 3;
+    int matchF = 0;
+
+    if (!c->extension_picky)
+        return 0;
+
+    if (strcmp(c->allowed_extensions, "ALL"))
+        matchA =      av_match_ext    (seg->url, c->allowed_extensions)
+                 + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0);
+
+    if (!matchA) {
+        av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url);
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (in_fmt) {
+        if (in_fmt->extensions) {
+            matchF =      av_match_ext(    seg->url, in_fmt->extensions)
+                     + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
+        } else if (!strcmp(in_fmt->name, "mpegts"))
+            matchF = 3;
+
+        if (!(matchA & matchF)) {
+            av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
+    return 0;
+}
+
+ static int parse_playlist(HLSContext *c, const char *url,
+                           struct playlist *pls, AVIOContext *in)
+ {
+@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext *c, const char *url,
+                     goto fail;
+                 }
+                ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg);
+                if (ret < 0) {
+                    av_free(seg->url);
+                    av_free(seg->key);
+                    av_free(seg);
+                    goto fail;
+                }
+
+                 if (duration < 0.001 * AV_TIME_BASE) {
+                     av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s,"
+                                     " set to default value to 1ms.\n", seg->url);
+@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s)
+             pls->ctx->interrupt_callback = s->interrupt_callback;
+             url = av_strdup(pls->segments[0]->url);
+             ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0);
+
+            for (int n = 0; n < pls->n_segments; n++)
+                if (ret >= 0)
+                    ret = test_segment(s, in_fmt, pls, pls->segments[n]);
+
+             if (ret < 0) {
+                 /* Free the ctx - it isn't initialized properly at this point,
+                 * so avformat_close_input shouldn't be called. If
+@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = {
+         OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+         {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+         INT_MIN, INT_MAX, FLAGS},
+    {"extension_picky", "Be picky with all extensions matching",
+        OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS},
+     {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
+         OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
+     {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments",
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
new file mode 100644
index 0000000000..0a2488814f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
@@ -0,0 +1,45 @@
+From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Thu, 16 Jan 2025 00:22:05 +0100
+Subject: [PATCH] avformat/dashdec: Check whitelist
+Fixes: CVE-2023-6602, V. DASH Playlist SSRF
+Found-by: Harvey Phillips of Amazon Element55 (element55)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/dashdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
+index 797fe74..78118de 100644
+--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
+@@ -442,7 +442,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
+     av_freep(pb);
+     av_dict_copy(&tmp, *opts, 0);
+     av_dict_copy(&tmp, opts2, 0);
+-    ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);
+    ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist);
+     if (ret >= 0) {
+         // update cookies on http response with setcookies.
+         char *new_cookies = NULL;
+@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in)
+         close_in = 1;
+         av_dict_copy(&opts, c->avio_opts, 0);
+-        ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts);
+        ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist);
+         av_dict_free(&opts);
+         if (ret < 0)
+             return ret;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index f205c4a5db..27a9a80e8c 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2025-22919.patch \
           file://CVE-2025-22921.patch \
           file://CVE-2025-7700.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
          "
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-09-05 11:10:44 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-09-12 09:24:24 -0700
commit	e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c (patch)
tree	5e8484692d2d483de18a18f1583e3db27b310741
parent	4415ab156050df66020ac4c79ec99b42cbc3b102 (diff)
download	poky-e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch new file mode 100644 index 0000000000..2b28eeada5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
@@ -0,0 +1,79 @@
		1	From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Mon, 15 May 2023 00:54:50 +0200
		4	Subject: [PATCH] avformat: add ff_match_url_ext()
		5
		6	Match url against a list of extensions similar to av_match_ext()
		7
		8	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		9	(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66)
		10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		11
		12	CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605
		13
		14	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee]
		15
		16	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		17	---
		18	libavformat/format.c \| 25 +++++++++++++++++++++++++
		19	libavformat/internal.h \| 9 +++++++++
		20	2 files changed, 34 insertions(+)
		21
		22	diff --git a/libavformat/format.c b/libavformat/format.c
		23	index 52b85c1..5e057d7 100644
		24	--- a/libavformat/format.c
		25	+++ b/libavformat/format.c
		26	@@ -48,6 +48,31 @@ int av_match_ext(const char filename, const char extensions)
		27	return 0;
		28	}
		29
		30	+int ff_match_url_ext(const char url, const char extensions)
		31	+{
		32	+ const char *ext;
		33	+ URLComponents uc;
		34	+ int ret;
		35	+ char scratchpad[128];
		36	+
		37	+ if (!url)
		38	+ return 0;
		39	+
		40	+ ret = ff_url_decompose(&uc, url, NULL);
		41	+ if (ret < 0 \|\| !URL_COMPONENT_HAVE(uc, scheme))
		42	+ return ret;
		43	+ for (ext = uc.query; *ext != '.' && ext > uc.path; ext--)
		44	+ ;
		45	+
		46	+ if (*ext != '.')
		47	+ return 0;
		48	+ if (uc.query - ext > sizeof(scratchpad))
		49	+ return AVERROR(ENOMEM); //not enough memory in our scratchpad
		50	+ av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext));
		51	+
		52	+ return av_match_name(scratchpad, extensions);
		53	+}
		54	+
		55	const AVOutputFormat av_guess_format(const char short_name, const char *filename,
		56	const char *mime_type)
		57	{
		58	diff --git a/libavformat/internal.h b/libavformat/internal.h
		59	index bffb8e6..584b979 100644
		60	--- a/libavformat/internal.h
		61	+++ b/libavformat/internal.h
		62	@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void);
		63	*/
		64	void ff_format_set_url(AVFormatContext s, char url);
		65
		66	+/**
		67	+ * Return a positive value if the given url has one of the given
		68	+ * extensions, negative AVERROR on error, 0 otherwise.
		69	+ *
		70	+ * @param url url to check against the given extensions
		71	+ * @param extensions a comma-separated list of filename extensions
		72	+ */
		73	+int ff_match_url_ext(const char url, const char extensions);
		74	+
		75	void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]);
		76
		77	/**
		78	--
		79	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch new file mode 100644 index 0000000000..1ba1006197 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
@@ -0,0 +1,142 @@
		1	From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Thu, 16 Jan 2025 01:28:46 +0100
		4	Subject: [PATCH] avformat/hls: Be more picky on extensions
		5
		6	This blocks disallowed extensions from probing
		7	It also requires all available segments to have matching extensions to the format
		8	mpegts is treated independent of the extension
		9
		10	It is recommended to set the whitelists correctly
		11	instead of depending on extensions, but this should help a bit,
		12	and this is easier to backport
		13
		14	Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
		15	Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
		16
		17	The other parts of CVE-2023-6602 have been fixed by prior commits
		18
		19	Found-by: Harvey Phillips of Amazon Element55 (element55)
		20	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		21	(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31)
		22	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		23
		24	CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605
		25
		26	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57]
		27
		28	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		29	---
		30	doc/demuxers.texi \| 7 +++++++
		31	libavformat/hls.c \| 50 +++++++++++++++++++++++++++++++++++++++++++++++
		32	2 files changed, 57 insertions(+)
		33
		34	diff --git a/doc/demuxers.texi b/doc/demuxers.texi
		35	index 26ae768..6e0b25e 100644
		36	--- a/doc/demuxers.texi
		37	+++ b/doc/demuxers.texi
		38	@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end).
		39	@item allowed_extensions
		40	',' separated list of file extensions that hls is allowed to access.
		41
		42	+@item extension_picky
		43	+This blocks disallowed extensions from probing
		44	+It also requires all available segments to have matching extensions to the format
		45	+except mpegts, which is always allowed.
		46	+It is recommended to set the whitelists correctly instead of depending on extensions
		47	+Enabled by default.
		48	+
		49	@item max_reload
		50	Maximum number of times a insufficient list is attempted to be reloaded.
		51	Default value is 1000.
		52	diff --git a/libavformat/hls.c b/libavformat/hls.c
		53	index d5e9b21..e1bb677 100644
		54	--- a/libavformat/hls.c
		55	+++ b/libavformat/hls.c
		56	@@ -214,6 +214,7 @@ typedef struct HLSContext {
		57	AVDictionary *avio_opts;
		58	AVDictionary *seg_format_opts;
		59	char *allowed_extensions;
		60	+ int extension_picky;
		61	int max_reload;
		62	int http_persistent;
		63	int http_multiple;
		64	@@ -716,6 +717,40 @@ static int open_url(AVFormatContext s, AVIOContext pb, const char url,
		65	return ret;
		66	}
		67
		68	+static int test_segment(AVFormatContext s, const AVInputFormat in_fmt, struct playlist pls, struct segment seg)
		69	+{
		70	+ HLSContext *c = s->priv_data;
		71	+ int matchA = 3;
		72	+ int matchF = 0;
		73	+
		74	+ if (!c->extension_picky)
		75	+ return 0;
		76	+
		77	+ if (strcmp(c->allowed_extensions, "ALL"))
		78	+ matchA = av_match_ext (seg->url, c->allowed_extensions)
		79	+ + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0);
		80	+
		81	+ if (!matchA) {
		82	+ av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url);
		83	+ return AVERROR_INVALIDDATA;
		84	+ }
		85	+
		86	+ if (in_fmt) {
		87	+ if (in_fmt->extensions) {
		88	+ matchF = av_match_ext( seg->url, in_fmt->extensions)
		89	+ + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
		90	+ } else if (!strcmp(in_fmt->name, "mpegts"))
		91	+ matchF = 3;
		92	+
		93	+ if (!(matchA & matchF)) {
		94	+ av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url);
		95	+ return AVERROR_INVALIDDATA;
		96	+ }
		97	+ }
		98	+
		99	+ return 0;
		100	+}
		101	+
		102	static int parse_playlist(HLSContext c, const char url,
		103	struct playlist pls, AVIOContext in)
		104	{
		105	@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext c, const char url,
		106	goto fail;
		107	}
		108
		109	+ ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg);
		110	+ if (ret < 0) {
		111	+ av_free(seg->url);
		112	+ av_free(seg->key);
		113	+ av_free(seg);
		114	+ goto fail;
		115	+ }
		116	+
		117	if (duration < 0.001 * AV_TIME_BASE) {
		118	av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s,"
		119	" set to default value to 1ms.\n", seg->url);
		120	@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s)
		121	pls->ctx->interrupt_callback = s->interrupt_callback;
		122	url = av_strdup(pls->segments[0]->url);
		123	ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0);
		124	+
		125	+ for (int n = 0; n < pls->n_segments; n++)
		126	+ if (ret >= 0)
		127	+ ret = test_segment(s, in_fmt, pls, pls->segments[n]);
		128	+
		129	if (ret < 0) {
		130	/* Free the ctx - it isn't initialized properly at this point,
		131	* so avformat_close_input shouldn't be called. If
		132	@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = {
		133	OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
		134	{.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
		135	INT_MIN, INT_MAX, FLAGS},
		136	+ {"extension_picky", "Be picky with all extensions matching",
		137	+ OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS},
		138	{"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
		139	OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
		140	{"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments",
		141	--
		142	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch new file mode 100644 index 0000000000..0a2488814f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
@@ -0,0 +1,45 @@
		1	From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Thu, 16 Jan 2025 00:22:05 +0100
		4	Subject: [PATCH] avformat/dashdec: Check whitelist
		5
		6	Fixes: CVE-2023-6602, V. DASH Playlist SSRF
		7
		8	Found-by: Harvey Phillips of Amazon Element55 (element55)
		9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		10	(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf)
		11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		12
		13	CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604
		14
		15	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a]
		16
		17	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		18	---
		19	libavformat/dashdec.c \| 4 ++--
		20	1 file changed, 2 insertions(+), 2 deletions(-)
		21
		22	diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
		23	index 797fe74..78118de 100644
		24	--- a/libavformat/dashdec.c
		25	+++ b/libavformat/dashdec.c
		26	@@ -442,7 +442,7 @@ static int open_url(AVFormatContext s, AVIOContext pb, const char url,
		27	av_freep(pb);
		28	av_dict_copy(&tmp, *opts, 0);
		29	av_dict_copy(&tmp, opts2, 0);
		30	- ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);
		31	+ ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist);
		32	if (ret >= 0) {
		33	// update cookies on http response with setcookies.
		34	char *new_cookies = NULL;
		35	@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext s, const char url, AVIOContext *in)
		36	close_in = 1;
		37
		38	av_dict_copy(&opts, c->avio_opts, 0);
		39	- ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts);
		40	+ ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist);
		41	av_dict_free(&opts);
		42	if (ret < 0)
		43	return ret;
		44	--
		45	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index f205c4a5db..27a9a80e8c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
49	file://CVE-2025-22919.patch \	49	file://CVE-2025-22919.patch \
50	file://CVE-2025-22921.patch \	50	file://CVE-2025-22921.patch \
51	file://CVE-2025-7700.patch \	51	file://CVE-2025-7700.patch \
		52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
		53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
		54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
52	"	55	"
53		56
54	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"	57	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"