[FFmpeg-devel] [PATCH] Allow the user to limit metadata length and bext coding history (PR #20642)

[michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>]

PR #20642 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642.patch


>From 42e879d0a91dcb4ee5d21329b58ef93014ea3cb3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 3 Oct 2025 00:12:32 +0200
Subject: [PATCH 1/2] avformat: Add max_metadata_length to limit the maximum
 length of metadata entries

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 doc/APIchanges              | 3 +++
 libavformat/avformat.h      | 8 ++++++++
 libavformat/options_table.h | 1 +
 libavformat/version.h       | 2 +-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/doc/APIchanges b/doc/APIchanges
index 6e7f5d2037..01faaa4dff 100644
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -2,6 +2,9 @@ The last version increases of all libraries were on 2025-03-28
 
 API changes, most recent first:
 
+2025-10-xx - xxxxxxxxxx - lavf 62.7.100 - avformat.h
+  Add max_metadata_length
+
 2025-08-xx - xxxxxxxxxx - lavf 62.6.100 - oggparsevorbis.h oggparseopus.h oggparseflac.h
   Drop header packets from secondary chained ogg/{flac, opus, vorbis} streams
   from demuxer output.
diff --git a/libavformat/avformat.h b/libavformat/avformat.h
index a7446546e5..2ce09f31fa 100644
--- a/libavformat/avformat.h
+++ b/libavformat/avformat.h
@@ -1884,6 +1884,14 @@ typedef struct AVFormatContext {
      * @see skip_estimate_duration_from_pts
      */
     int64_t duration_probesize;
+
+    /**
+     * The maximum length of metadata fields.
+     * This gives demuxers a guideline of what is "too large"
+     * - encoding: unused
+     * - decoding: set by user
+     */
+    int max_metadata_length;
 } AVFormatContext;
 
 /**
diff --git a/libavformat/options_table.h b/libavformat/options_table.h
index 5047b5ce50..1d458c1200 100644
--- a/libavformat/options_table.h
+++ b/libavformat/options_table.h
@@ -106,6 +106,7 @@ static const AVOption avformat_options[] = {
 {"skip_estimate_duration_from_pts", "skip duration calculation in estimate_timings_from_pts", OFFSET(skip_estimate_duration_from_pts), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, D},
 {"max_probe_packets", "Maximum number of packets to probe a codec", OFFSET(max_probe_packets), AV_OPT_TYPE_INT, { .i64 = 2500 }, 0, INT_MAX, D },
 {"duration_probesize", "Maximum number of bytes to probe the durations of the streams in estimate_timings_from_pts", OFFSET(duration_probesize), AV_OPT_TYPE_INT64, {.i64 = 0 }, 0, (double)INT64_MAX, D},
+{"max_metadata_length", "Maximum length of metadata fields", OFFSET(max_metadata_length), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D },
 {NULL},
 };
 
diff --git a/libavformat/version.h b/libavformat/version.h
index 4bde82abb4..70c554c19c 100644
--- a/libavformat/version.h
+++ b/libavformat/version.h
@@ -31,7 +31,7 @@
 
 #include "version_major.h"
 
-#define LIBAVFORMAT_VERSION_MINOR   6
+#define LIBAVFORMAT_VERSION_MINOR   7
 #define LIBAVFORMAT_VERSION_MICRO 100
 
 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \
-- 
2.49.1


>From dad6cf719230e6d6c486880d621204d885ef055f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 3 Oct 2025 00:14:46 +0200
Subject: [PATCH 2/2] avformat/wavdec: Limit the BEXT coding history size to
 the max metadata length

The specification has no limit on its size.
This can cause allocation of physical memory
twice the size of the input file.

giving the user a way to limit this makes sense.
Even though there are other ways to cause more memory
to be allocated.

Reported-by: Albin V, AWS Security
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/wavdec.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 7d701c517a..4ee9658be6 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -32,6 +32,7 @@
 #include "libavutil/dict.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
+#include "libavutil/macros.h"
 #include "libavutil/mathematics.h"
 #include "libavutil/mem.h"
 #include "libavutil/opt.h"
@@ -322,15 +323,20 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size)
         /* CodingHistory present */
         size -= 602;
 
-        if (!(coding_history = av_malloc(size + 1)))
+        int read_len = FFMIN3(size, s->max_metadata_length, INT_MAX - 1);
+
+        if (!(coding_history = av_malloc(read_len + 1)))
             return AVERROR(ENOMEM);
 
-        if ((ret = ffio_read_size(s->pb, coding_history, size)) < 0) {
+        if ((ret = ffio_read_size(s->pb, coding_history, read_len)) < 0) {
             av_free(coding_history);
             return ret;
         }
 
-        coding_history[size] = 0;
+        if (read_len < size)
+            avio_skip(s->pb, size - read_len);
+
+        coding_history[read_len] = 0;
         if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history,
                                AV_DICT_DONT_STRDUP_VAL)) < 0)
             return ret;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org