From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0E1044BD6E for ; Fri, 3 Oct 2025 00:29:06 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'g9TPjayPnxDxsq1KfmlJLBXvz37gMaisQ0iDc5B3gu8=', expected b'xbBIz61XQCs/pKuoraH27Qd6tzTPift6UyXOqmg4jr0=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1759451330; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=g9TPjayPnxDxsq1KfmlJLBXvz37gMaisQ0iDc5B3gu8=; b=pM5zFG9LHclYGmhzlLw9zchzwHWSfYuNLrSHnWqT8Tp0JUVY5LnyJD4+lBQ3bTc4NVjs+ BEk1XeZuGzXkN/OUNQaqr2VMwEjuQoplcky/nVQ9OmOApoFBzEkST3x0kvPW0DIiFD4ooN/ RdDykEna9lgpmsYWwRnl7QIHFggEcLalXVdBcW/kyKOF97dNyDnv/CuXXlsZ7PUPR3Rylox FLUpW44eeL079wNYglUXEOQTSIr5MvKVk9kYUTpA8MXNxK276PcUQ0+Q9jCI3yxWTCbco1h YkNh9KZZ8l5OCavrBsnaC8K0T2akyVGrMNYivGBDWpVj/v6Xr4EMjvnXyczQ== Received: from [172.19.0.2] (unknown [172.19.0.2]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 63D3968EFD3; Fri, 3 Oct 2025 03:28:50 +0300 (EEST) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1759451318; b=B63pPRyn/WZ1cK2RWCsBeKXjNoG75Vd1b5CMzesE+q+lNYj+V19n76ZeYb/4OlKpZJfeG r51ChuskMcOTaG5XAggjHa4SheDFkmUyT12sLDSr7l61qDQyaQzRhngVkJBgJGlRuIhWmXO aMeAYKFO9FocIjVDAu3NxuZGjBv2n2Lefe61YYpADq37t3mNil1QHe4TPgte2TStkAN7Z3v bbWGwxfgXv+PsehKD7YjHNPyKvOfptJHfNcje77IGs4zRE3AGZk335BzP6llhhz/ILCdaoB 1vb8/YcJYocNM+PZs5ItdYMi9wBQk+i2asZvHV9F9EhRJ6s8MMWYKG9EkRdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1759451318; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=rKIIBukYzIdS7G+ngDv1LmpbhKgHf8HqniZ7eyEW4yI=; b=e1JPmoUZRm7zR4u1o8w6BGX/6SCaSDKKhnbyjuaIvwcf1v1T7/bP7JIK9rNF+5JtW2w6X y9uR4wvzjbBalK+uVl/lXvR8vF5ho59AeF3h/yBldA1fVfbKTZTYKvd6FHnZnPaejg/msVZ Hqey0vsGk5K06aFfH99CxIJz/2+DigiLlIbHHdEv3aG1TWO387t3IjDRNMp/wEJ3b5sriOS Fz99qsUpvgcO9vwGPRA5RkPW4DYp7XQrVfyU+nB/i5HsI84/ChCsywTlD567Sc0wj2UBxgR Q0m9zgSNxdaik0VQeeIthc8QtfOft3vv/vjKC1QCQpZzt9XZRgX1zMBtkVAg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1759451311; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=xbBIz61XQCs/pKuoraH27Qd6tzTPift6UyXOqmg4jr0=; b=b5LiH3Qwp/VFXf88dw2SDNvOiBje4ewTWC7sk7pfGKtuzv1zQSsctXmsikKsVfO2Xi5Qc O5DzJKqGkXLuVjUoQAxqyxDyltl8AUk+FvCO6Z5+1YZXeM8q9fDeZ9iTlbEBv9u2G0fMoYk 24uYxUAV+WgB35HOIE6BL8mqfiLXp7sI5aNqJl7u87Iv7dZpXiMvtaAzkMiIUDP9AGcBh/f D5o9QFm+PvYTLvRloC3ULNKclg4d1C8nrPIwDTlpxzdA/MGXiW5iyBLT8KCtNRZEe87TxlA IX/VsEIaJv5XDNm5Q6N6Z5NhEieTztDivSpaWRK0FSHpoCX5fnfgOSum5/Ug== Received: from be50bb5a3685 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 9722168EC8A for ; Fri, 3 Oct 2025 03:28:31 +0300 (EEST) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Fri, 03 Oct 2025 00:28:31 -0000 Message-ID: <175945131258.69.13151872070440336765@bf249f23a2c8> Message-ID-Hash: BTLSJQIA2SRYPVN7XWL2JLHYOBB3GUGW X-Message-ID-Hash: BTLSJQIA2SRYPVN7XWL2JLHYOBB3GUGW X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] Allow the user to limit metadata length and bext coding history (PR #20642) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: michaelni via ffmpeg-devel Cc: michaelni Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #20642 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642.patch >>From 42e879d0a91dcb4ee5d21329b58ef93014ea3cb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2025 00:12:32 +0200 Subject: [PATCH 1/2] avformat: Add max_metadata_length to limit the maximum length of metadata entries Signed-off-by: Michael Niedermayer --- doc/APIchanges | 3 +++ libavformat/avformat.h | 8 ++++++++ libavformat/options_table.h | 1 + libavformat/version.h | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 6e7f5d2037..01faaa4dff 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -2,6 +2,9 @@ The last version increases of all libraries were on 2025-03-28 API changes, most recent first: +2025-10-xx - xxxxxxxxxx - lavf 62.7.100 - avformat.h + Add max_metadata_length + 2025-08-xx - xxxxxxxxxx - lavf 62.6.100 - oggparsevorbis.h oggparseopus.h oggparseflac.h Drop header packets from secondary chained ogg/{flac, opus, vorbis} streams from demuxer output. diff --git a/libavformat/avformat.h b/libavformat/avformat.h index a7446546e5..2ce09f31fa 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1884,6 +1884,14 @@ typedef struct AVFormatContext { * @see skip_estimate_duration_from_pts */ int64_t duration_probesize; + + /** + * The maximum length of metadata fields. + * This gives demuxers a guideline of what is "too large" + * - encoding: unused + * - decoding: set by user + */ + int max_metadata_length; } AVFormatContext; /** diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 5047b5ce50..1d458c1200 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -106,6 +106,7 @@ static const AVOption avformat_options[] = { {"skip_estimate_duration_from_pts", "skip duration calculation in estimate_timings_from_pts", OFFSET(skip_estimate_duration_from_pts), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, D}, {"max_probe_packets", "Maximum number of packets to probe a codec", OFFSET(max_probe_packets), AV_OPT_TYPE_INT, { .i64 = 2500 }, 0, INT_MAX, D }, {"duration_probesize", "Maximum number of bytes to probe the durations of the streams in estimate_timings_from_pts", OFFSET(duration_probesize), AV_OPT_TYPE_INT64, {.i64 = 0 }, 0, (double)INT64_MAX, D}, +{"max_metadata_length", "Maximum length of metadata fields", OFFSET(max_metadata_length), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/version.h b/libavformat/version.h index 4bde82abb4..70c554c19c 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -31,7 +31,7 @@ #include "version_major.h" -#define LIBAVFORMAT_VERSION_MINOR 6 +#define LIBAVFORMAT_VERSION_MINOR 7 #define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ -- 2.49.1 >>From dad6cf719230e6d6c486880d621204d885ef055f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2025 00:14:46 +0200 Subject: [PATCH 2/2] avformat/wavdec: Limit the BEXT coding history size to the max metadata length The specification has no limit on its size. This can cause allocation of physical memory twice the size of the input file. giving the user a way to limit this makes sense. Even though there are other ways to cause more memory to be allocated. Reported-by: Albin V, AWS Security Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7d701c517a..4ee9658be6 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -32,6 +32,7 @@ #include "libavutil/dict.h" #include "libavutil/intreadwrite.h" #include "libavutil/log.h" +#include "libavutil/macros.h" #include "libavutil/mathematics.h" #include "libavutil/mem.h" #include "libavutil/opt.h" @@ -322,15 +323,20 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) /* CodingHistory present */ size -= 602; - if (!(coding_history = av_malloc(size + 1))) + int read_len = FFMIN3(size, s->max_metadata_length, INT_MAX - 1); + + if (!(coding_history = av_malloc(read_len + 1))) return AVERROR(ENOMEM); - if ((ret = ffio_read_size(s->pb, coding_history, size)) < 0) { + if ((ret = ffio_read_size(s->pb, coding_history, read_len)) < 0) { av_free(coding_history); return ret; } - coding_history[size] = 0; + if (read_len < size) + avio_skip(s->pb, size - read_len); + + coding_history[read_len] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, AV_DICT_DONT_STRDUP_VAL)) < 0) return ret; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org