[FFmpeg-devel] [PATCH] avcodec: Require avoptions for the user to set max_pixels.

Michael Niedermayer michael at niedermayer.cc
Sun Dec 11 18:19:28 EET 2016

On Sun, Dec 11, 2016 at 04:06:00PM +0100, Nicolas George wrote:
> Le primidi 21 frimaire, an CCXXV, Michael Niedermayer a écrit :
> > Its explained in the patch comment above
> > 
> > max_pixels should to be backported as it allows users to control memory
> > use from large images better, avoid some OOMs and fixes issues which
> > some people consider security bugs
> > if its backported it will not be in the same location relative to the
> > start of AVCodecContext in master, 3.2, 3.1, 3.0
> > master, 3.2, 3.1, 3.0 all have the same soname
> > libs using the same soname need to be binary compatible
> > direct access to one location will not work and thus be binary
> > incompatible if the field is at a different location
> I think this is a terrible reason to make the code needlessly more
> complicated.
> I do not know where this new hype of treating OOM as a security issue
> comes from, but if we go in that direction it will take much more than a
> few ill-thought options to fix it.
> OOM is not a security issue. If people want to avoid it, let them use
> their operating system's features. And if there are other security
> issues that this is supposed to fix, document them before proposing a
> shaky fix.

As long as it is not documented that you need to run libavcodec/format
in a seperate process it is a security issue if you crash.
remotely triggered crashes are a security issue, this is not new.

iam not really in the camp that belives that these OOM crashes are
a real security issue nor am i in the camp that belives they are non
issues. (i in fact had pointed some security researchers who reported
some OOM issues to threads here previously and the effect of that
was that they simply registered CVE# for the issues and published
them (after some time) not bothering to inform me about either)
i had hoped they would join the discussions ...

One part of me can understand that, one part of me can understand the
community but i do not enjoy being between the 2 at all and i kind of

What id like to do is simply fix the issues i can fix. The max_pixels
and max_streams code is doing that.

Also i think people should make up their mind.
If you (plural) want to make it mandatory to run libavcodec/format in
a seperate process if the input is untrusted you should have a priority
of documenting that, and think about what it means for past releases
that did not have such a requirment documented

And compltely indepandant of the security aspect, the pixels and
streams are special in that they can cause OOM crashes without being
crafted input files, in fact totally valid files can trigger it.

And i disagree that not crashing on valid files is a feature.
(one argument against backporting seemed to be that its a feature and
 not a bugfix)


Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161211/3fca1414/attachment.sig>

More information about the ffmpeg-devel mailing list