4 files changed, 269 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
new file mode 100644
index 0000000000..2b28eeada5
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
@@ -0,0 +1,79 @@
+From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 15 May 2023 00:54:50 +0200
+Subject: [PATCH] avformat: add ff_match_url_ext()
+Match url against a list of extensions similar to av_match_ext()
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/format.c   | 25 +++++++++++++++++++++++++
+ libavformat/internal.h |  9 +++++++++
+ 2 files changed, 34 insertions(+)
+diff --git a/libavformat/format.c b/libavformat/format.c
+index 52b85c1..5e057d7 100644
+--- a/libavformat/format.c
+++ b/libavformat/format.c
+@@ -48,6 +48,31 @@ int av_match_ext(const char *filename, const char *extensions)
+     return 0;
+ }
+int ff_match_url_ext(const char *url, const char *extensions)
+{
+    const char *ext;
+    URLComponents uc;
+    int ret;
+    char scratchpad[128];
+
+    if (!url)
+        return 0;
+
+    ret = ff_url_decompose(&uc, url, NULL);
+    if (ret < 0 || !URL_COMPONENT_HAVE(uc, scheme))
+        return ret;
+    for (ext = uc.query; *ext != '.' && ext > uc.path; ext--)
+        ;
+
+    if (*ext != '.')
+        return 0;
+    if (uc.query - ext > sizeof(scratchpad))
+        return AVERROR(ENOMEM); //not enough memory in our scratchpad
+    av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext));
+
+    return av_match_name(scratchpad, extensions);
+}
+
+ const AVOutputFormat *av_guess_format(const char *short_name, const char *filename,
+                                       const char *mime_type)
+ {
+diff --git a/libavformat/internal.h b/libavformat/internal.h
+index bffb8e6..584b979 100644
+--- a/libavformat/internal.h
+++ b/libavformat/internal.h
+@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void);
+  */
+ void ff_format_set_url(AVFormatContext *s, char *url);
+/**
+ * Return a positive value if the given url has one of the given
+ * extensions, negative AVERROR on error, 0 otherwise.
+ *
+ * @param url        url to check against the given extensions
+ * @param extensions a comma-separated list of filename extensions
+ */
+int ff_match_url_ext(const char *url, const char *extensions);
+
+ void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]);
+ /**
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
new file mode 100644
index 0000000000..1ba1006197
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
@@ -0,0 +1,142 @@
+From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Thu, 16 Jan 2025 01:28:46 +0100
+Subject: [PATCH] avformat/hls: Be more picky on extensions
+This blocks disallowed extensions from probing
+It also requires all available segments to have matching extensions to the format
+mpegts is treated independent of the extension
+It is recommended to set the whitelists correctly
+instead of depending on extensions, but this should help a bit,
+and this is easier to backport
+Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
+Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
+The other parts of CVE-2023-6602 have been fixed by prior commits
+Found-by: Harvey Phillips of Amazon Element55 (element55)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ doc/demuxers.texi |  7 +++++++
+ libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 57 insertions(+)
+diff --git a/doc/demuxers.texi b/doc/demuxers.texi
+index 26ae768..6e0b25e 100644
+--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
+@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end).
+ @item allowed_extensions
+ ',' separated list of file extensions that hls is allowed to access.
+@item extension_picky
+This blocks disallowed extensions from probing
+It also requires all available segments to have matching extensions to the format
+except mpegts, which is always allowed.
+It is recommended to set the whitelists correctly instead of depending on extensions
+Enabled by default.
+
+ @item max_reload
+ Maximum number of times a insufficient list is attempted to be reloaded.
+ Default value is 1000.
+diff --git a/libavformat/hls.c b/libavformat/hls.c
+index d5e9b21..e1bb677 100644
+--- a/libavformat/hls.c
+++ b/libavformat/hls.c
+@@ -214,6 +214,7 @@ typedef struct HLSContext {
+     AVDictionary *avio_opts;
+     AVDictionary *seg_format_opts;
+     char *allowed_extensions;
+    int extension_picky;
+     int max_reload;
+     int http_persistent;
+     int http_multiple;
+@@ -716,6 +717,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
+     return ret;
+ }
+static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg)
+{
+    HLSContext *c = s->priv_data;
+    int matchA = 3;
+    int matchF = 0;
+
+    if (!c->extension_picky)
+        return 0;
+
+    if (strcmp(c->allowed_extensions, "ALL"))
+        matchA =      av_match_ext    (seg->url, c->allowed_extensions)
+                 + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0);
+
+    if (!matchA) {
+        av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url);
+        return AVERROR_INVALIDDATA;
+    }
+
+    if (in_fmt) {
+        if (in_fmt->extensions) {
+            matchF =      av_match_ext(    seg->url, in_fmt->extensions)
+                     + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
+        } else if (!strcmp(in_fmt->name, "mpegts"))
+            matchF = 3;
+
+        if (!(matchA & matchF)) {
+            av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
+    return 0;
+}
+
+ static int parse_playlist(HLSContext *c, const char *url,
+                           struct playlist *pls, AVIOContext *in)
+ {
+@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext *c, const char *url,
+                     goto fail;
+                 }
+                ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg);
+                if (ret < 0) {
+                    av_free(seg->url);
+                    av_free(seg->key);
+                    av_free(seg);
+                    goto fail;
+                }
+
+                 if (duration < 0.001 * AV_TIME_BASE) {
+                     av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s,"
+                                     " set to default value to 1ms.\n", seg->url);
+@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s)
+             pls->ctx->interrupt_callback = s->interrupt_callback;
+             url = av_strdup(pls->segments[0]->url);
+             ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0);
+
+            for (int n = 0; n < pls->n_segments; n++)
+                if (ret >= 0)
+                    ret = test_segment(s, in_fmt, pls, pls->segments[n]);
+
+             if (ret < 0) {
+                 /* Free the ctx - it isn't initialized properly at this point,
+                 * so avformat_close_input shouldn't be called. If
+@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = {
+         OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+         {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+         INT_MIN, INT_MAX, FLAGS},
+    {"extension_picky", "Be picky with all extensions matching",
+        OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS},
+     {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
+         OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
+     {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments",
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
new file mode 100644
index 0000000000..0a2488814f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
@@ -0,0 +1,45 @@
+From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Thu, 16 Jan 2025 00:22:05 +0100
+Subject: [PATCH] avformat/dashdec: Check whitelist
+Fixes: CVE-2023-6602, V. DASH Playlist SSRF
+Found-by: Harvey Phillips of Amazon Element55 (element55)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/dashdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
+index 797fe74..78118de 100644
+--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
+@@ -442,7 +442,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
+     av_freep(pb);
+     av_dict_copy(&tmp, *opts, 0);
+     av_dict_copy(&tmp, opts2, 0);
+-    ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);
+    ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist);
+     if (ret >= 0) {
+         // update cookies on http response with setcookies.
+         char *new_cookies = NULL;
+@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in)
+         close_in = 1;
+         av_dict_copy(&opts, c->avio_opts, 0);
+-        ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts);
+        ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist);
+         av_dict_free(&opts);
+         if (ret < 0)
+             return ret;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index f205c4a5db..27a9a80e8c 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2025-22919.patch \
           file://CVE-2025-22921.patch \
           file://CVE-2025-7700.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
+           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
          "
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch new file mode 100644 index 0000000000..2b28eeada5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch
@@ -0,0 +1,79 @@
		1	From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Mon, 15 May 2023 00:54:50 +0200
		4	Subject: [PATCH] avformat: add ff_match_url_ext()
		5
		6	Match url against a list of extensions similar to av_match_ext()
		7
		8	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		9	(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66)
		10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		11
		12	CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605
		13
		14	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee]
		15
		16	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		17	---
		18	libavformat/format.c \| 25 +++++++++++++++++++++++++
		19	libavformat/internal.h \| 9 +++++++++
		20	2 files changed, 34 insertions(+)
		21
		22	diff --git a/libavformat/format.c b/libavformat/format.c
		23	index 52b85c1..5e057d7 100644
		24	--- a/libavformat/format.c
		25	+++ b/libavformat/format.c
		26	@@ -48,6 +48,31 @@ int av_match_ext(const char filename, const char extensions)
		27	return 0;
		28	}
		29
		30	+int ff_match_url_ext(const char url, const char extensions)
		31	+{
		32	+ const char *ext;
		33	+ URLComponents uc;
		34	+ int ret;
		35	+ char scratchpad[128];
		36	+
		37	+ if (!url)
		38	+ return 0;
		39	+
		40	+ ret = ff_url_decompose(&uc, url, NULL);
		41	+ if (ret < 0 \|\| !URL_COMPONENT_HAVE(uc, scheme))
		42	+ return ret;
		43	+ for (ext = uc.query; *ext != '.' && ext > uc.path; ext--)
		44	+ ;
		45	+
		46	+ if (*ext != '.')
		47	+ return 0;
		48	+ if (uc.query - ext > sizeof(scratchpad))
		49	+ return AVERROR(ENOMEM); //not enough memory in our scratchpad
		50	+ av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext));
		51	+
		52	+ return av_match_name(scratchpad, extensions);
		53	+}
		54	+
		55	const AVOutputFormat av_guess_format(const char short_name, const char *filename,
		56	const char *mime_type)
		57	{
		58	diff --git a/libavformat/internal.h b/libavformat/internal.h
		59	index bffb8e6..584b979 100644
		60	--- a/libavformat/internal.h
		61	+++ b/libavformat/internal.h
		62	@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void);
		63	*/
		64	void ff_format_set_url(AVFormatContext s, char url);
		65
		66	+/**
		67	+ * Return a positive value if the given url has one of the given
		68	+ * extensions, negative AVERROR on error, 0 otherwise.
		69	+ *
		70	+ * @param url url to check against the given extensions
		71	+ * @param extensions a comma-separated list of filename extensions
		72	+ */
		73	+int ff_match_url_ext(const char url, const char extensions);
		74	+
		75	void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]);
		76
		77	/**
		78	--
		79	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch new file mode 100644 index 0000000000..1ba1006197 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch
@@ -0,0 +1,142 @@
		1	From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Thu, 16 Jan 2025 01:28:46 +0100
		4	Subject: [PATCH] avformat/hls: Be more picky on extensions
		5
		6	This blocks disallowed extensions from probing
		7	It also requires all available segments to have matching extensions to the format
		8	mpegts is treated independent of the extension
		9
		10	It is recommended to set the whitelists correctly
		11	instead of depending on extensions, but this should help a bit,
		12	and this is easier to backport
		13
		14	Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
		15	Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
		16
		17	The other parts of CVE-2023-6602 have been fixed by prior commits
		18
		19	Found-by: Harvey Phillips of Amazon Element55 (element55)
		20	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		21	(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31)
		22	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		23
		24	CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605
		25
		26	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57]
		27
		28	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		29	---
		30	doc/demuxers.texi \| 7 +++++++
		31	libavformat/hls.c \| 50 +++++++++++++++++++++++++++++++++++++++++++++++
		32	2 files changed, 57 insertions(+)
		33
		34	diff --git a/doc/demuxers.texi b/doc/demuxers.texi
		35	index 26ae768..6e0b25e 100644
		36	--- a/doc/demuxers.texi
		37	+++ b/doc/demuxers.texi
		38	@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end).
		39	@item allowed_extensions
		40	',' separated list of file extensions that hls is allowed to access.
		41
		42	+@item extension_picky
		43	+This blocks disallowed extensions from probing
		44	+It also requires all available segments to have matching extensions to the format
		45	+except mpegts, which is always allowed.
		46	+It is recommended to set the whitelists correctly instead of depending on extensions
		47	+Enabled by default.
		48	+
		49	@item max_reload
		50	Maximum number of times a insufficient list is attempted to be reloaded.
		51	Default value is 1000.
		52	diff --git a/libavformat/hls.c b/libavformat/hls.c
		53	index d5e9b21..e1bb677 100644
		54	--- a/libavformat/hls.c
		55	+++ b/libavformat/hls.c
		56	@@ -214,6 +214,7 @@ typedef struct HLSContext {
		57	AVDictionary *avio_opts;
		58	AVDictionary *seg_format_opts;
		59	char *allowed_extensions;
		60	+ int extension_picky;
		61	int max_reload;
		62	int http_persistent;
		63	int http_multiple;
		64	@@ -716,6 +717,40 @@ static int open_url(AVFormatContext s, AVIOContext pb, const char url,
		65	return ret;
		66	}
		67
		68	+static int test_segment(AVFormatContext s, const AVInputFormat in_fmt, struct playlist pls, struct segment seg)
		69	+{
		70	+ HLSContext *c = s->priv_data;
		71	+ int matchA = 3;
		72	+ int matchF = 0;
		73	+
		74	+ if (!c->extension_picky)
		75	+ return 0;
		76	+
		77	+ if (strcmp(c->allowed_extensions, "ALL"))
		78	+ matchA = av_match_ext (seg->url, c->allowed_extensions)
		79	+ + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0);
		80	+
		81	+ if (!matchA) {
		82	+ av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url);
		83	+ return AVERROR_INVALIDDATA;
		84	+ }
		85	+
		86	+ if (in_fmt) {
		87	+ if (in_fmt->extensions) {
		88	+ matchF = av_match_ext( seg->url, in_fmt->extensions)
		89	+ + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
		90	+ } else if (!strcmp(in_fmt->name, "mpegts"))
		91	+ matchF = 3;
		92	+
		93	+ if (!(matchA & matchF)) {
		94	+ av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url);
		95	+ return AVERROR_INVALIDDATA;
		96	+ }
		97	+ }
		98	+
		99	+ return 0;
		100	+}
		101	+
		102	static int parse_playlist(HLSContext c, const char url,
		103	struct playlist pls, AVIOContext in)
		104	{
		105	@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext c, const char url,
		106	goto fail;
		107	}
		108
		109	+ ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg);
		110	+ if (ret < 0) {
		111	+ av_free(seg->url);
		112	+ av_free(seg->key);
		113	+ av_free(seg);
		114	+ goto fail;
		115	+ }
		116	+
		117	if (duration < 0.001 * AV_TIME_BASE) {
		118	av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s,"
		119	" set to default value to 1ms.\n", seg->url);
		120	@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s)
		121	pls->ctx->interrupt_callback = s->interrupt_callback;
		122	url = av_strdup(pls->segments[0]->url);
		123	ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0);
		124	+
		125	+ for (int n = 0; n < pls->n_segments; n++)
		126	+ if (ret >= 0)
		127	+ ret = test_segment(s, in_fmt, pls, pls->segments[n]);
		128	+
		129	if (ret < 0) {
		130	/* Free the ctx - it isn't initialized properly at this point,
		131	* so avformat_close_input shouldn't be called. If
		132	@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = {
		133	OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
		134	{.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
		135	INT_MIN, INT_MAX, FLAGS},
		136	+ {"extension_picky", "Be picky with all extensions matching",
		137	+ OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS},
		138	{"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
		139	OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
		140	{"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments",
		141	--
		142	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch new file mode 100644 index 0000000000..0a2488814f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch
@@ -0,0 +1,45 @@
		1	From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Thu, 16 Jan 2025 00:22:05 +0100
		4	Subject: [PATCH] avformat/dashdec: Check whitelist
		5
		6	Fixes: CVE-2023-6602, V. DASH Playlist SSRF
		7
		8	Found-by: Harvey Phillips of Amazon Element55 (element55)
		9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		10	(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf)
		11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		12
		13	CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604
		14
		15	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a]
		16
		17	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		18	---
		19	libavformat/dashdec.c \| 4 ++--
		20	1 file changed, 2 insertions(+), 2 deletions(-)
		21
		22	diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
		23	index 797fe74..78118de 100644
		24	--- a/libavformat/dashdec.c
		25	+++ b/libavformat/dashdec.c
		26	@@ -442,7 +442,7 @@ static int open_url(AVFormatContext s, AVIOContext pb, const char url,
		27	av_freep(pb);
		28	av_dict_copy(&tmp, *opts, 0);
		29	av_dict_copy(&tmp, opts2, 0);
		30	- ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);
		31	+ ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist);
		32	if (ret >= 0) {
		33	// update cookies on http response with setcookies.
		34	char *new_cookies = NULL;
		35	@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext s, const char url, AVIOContext *in)
		36	close_in = 1;
		37
		38	av_dict_copy(&opts, c->avio_opts, 0);
		39	- ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts);
		40	+ ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist);
		41	av_dict_free(&opts);
		42	if (ret < 0)
		43	return ret;
		44	--
		45	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index f205c4a5db..27a9a80e8c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
49	file://CVE-2025-22919.patch \	49	file://CVE-2025-22919.patch \
50	file://CVE-2025-22921.patch \	50	file://CVE-2025-22921.patch \
51	file://CVE-2025-7700.patch \	51	file://CVE-2025-7700.patch \
		52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
		53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
		54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
52	"	55	"
53		56
54	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"	57	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"