[vlc-devel] [PATCH] M3u & pls demux: Check the size of each file line to prevent flooding the playlist.
Rémi Denis-Courmont
remi at remlab.net
Wed Apr 24 13:38:13 CEST 2013
On Wed, 24 Apr 2013 13:09:44 +0200, Adrien Maglo <magsoft at videolan.org>
wrote:
> Hello,
>
>
> The exploit attached to the ticket #7361 shows that it is possible to
> freeze VLC with a corrupted playlist file containing very long lines.
Well maybe long URLs should not be printed wholly in the logs then?
> VLC indeed outputs to the logs a message giving the name of the media,
> which is extremely long. This is not a security issue but as logging is
> a costly operation, outputting this message takes a lot of time and
> freezes VLC.
>
> The attached patch proposes to set a maximum line length for the M3U and
> PLS playlist format. It therefore prevent the playlist from being
> flooded using these demux.
And what about all the many other playlist parsers? I think this fails to
address the problem.
--
Rémi Denis-Courmont
Sent from my collocated server
More information about the vlc-devel
mailing list