Browse code
avformat/mov: Disallow ".." in dref unless use_absolute_path is set
as this kind of allows to circumvent it to some extend.
We also could add a separate parameter or value to choose this
Found-by: ramiro
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2015/03/15 05:32:35Showing 1 changed files
| ... | ... |
@@ -2395,6 +2395,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, |
| 2395 | 2395 |
av_strlcat(filename, "../", sizeof(filename)); |
| 2396 | 2396 |
|
| 2397 | 2397 |
av_strlcat(filename, ref->path + l + 1, sizeof(filename)); |
| 2398 |
+ if (!use_absolute_path) |
|
| 2399 |
+ if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) |
|
| 2400 |
+ return AVERROR(ENOENT); |
|
| 2398 | 2401 |
|
| 2399 | 2402 |
if (strlen(filename) + 1 == sizeof(filename)) |
| 2400 | 2403 |
return AVERROR(ENOENT); |