PR #20642 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642.patch
>From 42e879d0a91dcb4ee5d21329b58ef93014ea3cb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 3 Oct 2025 00:12:32 +0200 Subject: [PATCH 1/2] avformat: Add max_metadata_length to limit the maximum length of metadata entries Signed-off-by: Michael Niedermayer <[email protected]> --- doc/APIchanges | 3 +++ libavformat/avformat.h | 8 ++++++++ libavformat/options_table.h | 1 + libavformat/version.h | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 6e7f5d2037..01faaa4dff 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -2,6 +2,9 @@ The last version increases of all libraries were on 2025-03-28 API changes, most recent first: +2025-10-xx - xxxxxxxxxx - lavf 62.7.100 - avformat.h + Add max_metadata_length + 2025-08-xx - xxxxxxxxxx - lavf 62.6.100 - oggparsevorbis.h oggparseopus.h oggparseflac.h Drop header packets from secondary chained ogg/{flac, opus, vorbis} streams from demuxer output. diff --git a/libavformat/avformat.h b/libavformat/avformat.h index a7446546e5..2ce09f31fa 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -1884,6 +1884,14 @@ typedef struct AVFormatContext { * @see skip_estimate_duration_from_pts */ int64_t duration_probesize; + + /** + * The maximum length of metadata fields. + * This gives demuxers a guideline of what is "too large" + * - encoding: unused + * - decoding: set by user + */ + int max_metadata_length; } AVFormatContext; /** diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 5047b5ce50..1d458c1200 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -106,6 +106,7 @@ static const AVOption avformat_options[] = { {"skip_estimate_duration_from_pts", "skip duration calculation in estimate_timings_from_pts", OFFSET(skip_estimate_duration_from_pts), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, D}, {"max_probe_packets", "Maximum number of packets to probe a codec", OFFSET(max_probe_packets), AV_OPT_TYPE_INT, { .i64 = 2500 }, 0, INT_MAX, D }, {"duration_probesize", "Maximum number of bytes to probe the durations of the streams in estimate_timings_from_pts", OFFSET(duration_probesize), AV_OPT_TYPE_INT64, {.i64 = 0 }, 0, (double)INT64_MAX, D}, +{"max_metadata_length", "Maximum length of metadata fields", OFFSET(max_metadata_length), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D }, {NULL}, }; diff --git a/libavformat/version.h b/libavformat/version.h index 4bde82abb4..70c554c19c 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -31,7 +31,7 @@ #include "version_major.h" -#define LIBAVFORMAT_VERSION_MINOR 6 +#define LIBAVFORMAT_VERSION_MINOR 7 #define LIBAVFORMAT_VERSION_MICRO 100 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ -- 2.49.1 >From dad6cf719230e6d6c486880d621204d885ef055f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 3 Oct 2025 00:14:46 +0200 Subject: [PATCH 2/2] avformat/wavdec: Limit the BEXT coding history size to the max metadata length The specification has no limit on its size. This can cause allocation of physical memory twice the size of the input file. giving the user a way to limit this makes sense. Even though there are other ways to cause more memory to be allocated. Reported-by: Albin V, AWS Security Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/wavdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7d701c517a..4ee9658be6 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -32,6 +32,7 @@ #include "libavutil/dict.h" #include "libavutil/intreadwrite.h" #include "libavutil/log.h" +#include "libavutil/macros.h" #include "libavutil/mathematics.h" #include "libavutil/mem.h" #include "libavutil/opt.h" @@ -322,15 +323,20 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) /* CodingHistory present */ size -= 602; - if (!(coding_history = av_malloc(size + 1))) + int read_len = FFMIN3(size, s->max_metadata_length, INT_MAX - 1); + + if (!(coding_history = av_malloc(read_len + 1))) return AVERROR(ENOMEM); - if ((ret = ffio_read_size(s->pb, coding_history, size)) < 0) { + if ((ret = ffio_read_size(s->pb, coding_history, read_len)) < 0) { av_free(coding_history); return ret; } - coding_history[size] = 0; + if (read_len < size) + avio_skip(s->pb, size - read_len); + + coding_history[read_len] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, AV_DICT_DONT_STRDUP_VAL)) < 0) return ret; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
