[vlc-devel] Bug in StreamURL::request: do not inflate streamUrl streams

Demetrius Iatrakis demetrius.iatrakis at gmail.com
Fri Aug 27 22:28:20 UTC 2021


Hello,

Commit 4526db9b
(https://code.videolan.org/videolan/vlc/-/commit/4526db9b) makes it so
that StreamURL::request always tries to inflate responses, in case
they are (incorrectly?) compressed. However, this incorrectly assumes
that every response that starts with a gzip/zlib header is compressed.
(see https://mailman.videolan.org/pipermail/vlc-devel/2017-July/114303.html)
This is not true, for example, in the case of HLS keys: An arbitrary
AES-128 key can start with a gzip/zlib header. inflate.c will then try
to decompress it, failing with a "corrupt stream" error.

In my opinion, it is probably a good idea to reverse the commit. In
this case, trying to cope with a hypothetical faulty implementation
that would send compressed HLS keys only leads to failure to support
proper implementations.

To reproduce, play an HLS stream such that the keyfile starts, for
example, with 6805 in hex. This passes the check in
https://code.videolan.org/videolan/vlc/-/blob/master/modules/stream_filter/inflate.c#L146,
and inflate.c will try to decompress it.

-- 
Demetrius


More information about the vlc-devel mailing list