[FFmpeg-devel] [PATCH]lavc/alac: Avoid allocating huge memory blocks for malicious alac input.

[Derek Buitenhuis]

On 11/1/2017 2:25 PM, Carl Eugen Hoyos wrote:
> It appears to me that the alac decoder can be used for DoS, the attached patch
> limits the maximum frame size to eight times the default value.
> (Higher values brake our encoder here.)

Since the official ALAC encoder/decoder are open ource nowadays, I took a look
a its source, and it doesn't seem to set any such limit in the encoder or decoder.

So, isn't it possible this arbitrary hardcoded limit breaks valid files?

- Derek