[FFmpeg-devel] [PATCH 1/2] avformat/options_table: Set the default maximum number of streams to 1000

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Tue Dec 13 01:33:09 EET 2016


On 10.12.2016 20:15, Michael Niedermayer wrote:
> Fixes CVE-2016-9561

I think the commit message should mention that the security relevance of
this is disputed, as running out of memory can happen with valid files.

> Suggested-by: Andreas Cadhalpun <andreas.cadhalpun at googlemail.com>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/options_table.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/options_table.h b/libavformat/options_table.h
> index d5448e503f..a537dda95e 100644
> --- a/libavformat/options_table.h
> +++ b/libavformat/options_table.h
> @@ -105,7 +105,7 @@ static const AVOption avformat_options[] = {
>  {"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL },  CHAR_MIN, CHAR_MAX, D },
>  {"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL },  CHAR_MIN, CHAR_MAX, D },
>  {"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL },  CHAR_MIN, CHAR_MAX, D },
> -{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D },
> +{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D },
>  {NULL},
>  };

The change itself looks good to me.

Best regards,
Andreas


More information about the ffmpeg-devel mailing list