Bug#517462: vlc creates infinite playlist from Quicktime "Multiple URLs" file

Fri Feb 27 21:56:01 UTC 2009

Package: vlc
Version: 0.8.6.h-5

The following URL contains a quicktime file which /usr/bin/file
identifies as "Apple QuickTime multiple URLs":

http://science.education.nih.gov/supplements/nih1/Cancer/videos/act2/CB5_MSTR.mov

You can access this file via a web page here if you want to see it in a
browser:

http://science.education.nih.gov/supplements/nih1/Cancer/activities/activity2_videos.htm

vlc 0.8.6.h-5 (on i386) gets itself into a nasty infinite regress if you
try to load the first URL directly in vlc like this:

 vlc "$URL"

What seems to happen is that the .mov file contains a set of references
to other streams (in this case, the streams appear to be the same
content, optimized for different bitrates).  However, one of the
embedded URLs appears to be a link to the same file:

> 0 $ wget -q -O- 'http://science.education.nih.gov/supplements/nih1/Cancer/videos/act2/CB5_MSTR.mov' | strings | grep mov
> CB5_MSTR.mov
> CB5_144.mov
> CB5_56K.mov
> CB5_ISDN.mov
> CB5_T1.mov
> 0 $

It looks like vlc is recursively loading this file, and each load adds
another 5 entries to the playlist.  This goes on until you kill vlc.
This strikes me as a potential risk for a remotely-triggered denial of
service attack.

I've also tried this with VLC 0.9.8a-1 (from experimental). This new
version behaves a little bit better, because it at least starts playing
the actual content files (starting at CB5_144.mov), and doesn't trigger
the infinite regress quite as fast.  It *is* still an infinite regress,
though, and if the individual content files were only a fraction of a
second in length, it seems like it could have the same misbehavior.

What's more, it doesn't seem that vlc properly respects the intent of
such a file either.  I don't know the quicktime spec at all, but i'd
assume that the intent of a quicktime wrapper file like this is to
automatically send the user to the correct stream of data based on their
(pre-configured?) bandwidth preference, not to show them each video
stream in sequence.  Is there a way that such intent is encoded in the
aggregated .mov file?

If you are unable to replicate this misbehavior of vlc, please let me
know if you'd like any more specific debugging information.  I'm happy
to provide.

Thanks for maintaining vlc in debian!

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20090227/63eb75f4/attachment.pgp 