avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u
The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Rebased against a libavformat/hls.c version that did not yet have AVOption support.
            Initializing HLS_Context.max_reload statically with the value 1000.

Gbp-Pq: Name CVE-2017-14058.patch

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 290f12e5bbbff179079bfd71ffb1c1a02c34b23d..3d98fe62d86a3c1667e574d04925995eeacd79e6 100644 (file)
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -381,6 +381,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
     struct variant *v = opaque;
     HLSContext *c = v->parent->priv_data;
     int ret, i;
+    int reload_count = 0;
 
 restart:
     if (!v->input) {
@@ -391,6 +392,9 @@ restart:
                                   v->target_duration;
 
 reload:
+        reload_count++;
+        if (reload_count > 1000)
+            return AVERROR_EOF;
         if (!v->finished &&
             av_gettime() - v->last_load_time >= reload_interval) {
             if ((ret = parse_playlist(c, v->url, v, NULL)) < 0)