$OpenBSD: patch-libavformat_hls_c,v 1.3 2016/01/16 09:01:26 ajacoutot Exp $

avformat/hls: forbid all protocols except http(s) & file

avformat/hls: More strict url checks

avformat/hls: Even stricter URL checks

CVE-2016-1897 and CVE-2016-1898

--- libavformat/hls.c.orig	Fri Jan 15 17:56:38 2016
+++ libavformat/hls.c	Fri Jan 15 17:58:41 2016
@@ -618,6 +618,18 @@ static int open_url(HLSContext *c, URLContext **uc, co
 {
     AVDictionary *tmp = NULL;
     int ret;
+    const char *proto_name = avio_find_protocol_name(url);
+
+    if (!proto_name)
+        return AVERROR_INVALIDDATA;
+
+    // only http(s) & file are allowed
+    if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
+        return AVERROR_INVALIDDATA;
+    if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
+        ;
+    else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
+        return AVERROR_INVALIDDATA;
 
     av_dict_copy(&tmp, c->avio_opts, 0);
     av_dict_copy(&tmp, opts, 0);
