A vulnerability in the way FFmpeg handles the concat (CVE-2016-1897) and
subfile (CVE-2016-1898) protocols in a HTTP Live Streaming (HLS) M3U8
file allows a remote attacker to conduct a cross-origin attacks, and to
access arbitrary local files on the vulnerable host. The attack uses a
crafted M3U8 file to make FFmpeg send a HTTP request to an external
server, with the URL containing data from arbitrary local files.