Would it not be better as a build option (on by default say) that would exit with an error message when trying to open a questionable file? That way you get safety by default with an easy path to follow for those who need it.
This is assuming of course that it’s not easier just to guard against whatever the knock-on effects of large numbers of channels are. Like what’s the actual attack vector here? On Sun, 5 Dec 2021 at 10:44, Larry Gritz <[email protected]> wrote: > The other alternative, I suppose, is to have no limits by default, and > apps that wish to be "safe" need to proactively make a call to set up the > guardrails. But then you have to trust the majority of apps to set it, and > to do so sensibly (or risk not having any input sensibility validation in > place), rather than trusting just the very few who need higher limits to > know how to raise the controls. > > Things like this are of growing concern to all our popular open source > libraries (not just OIIO), especially the ones successful enough to make > their way into commercial apps, cloud services, etc. -- those vendors > become paranoid (and rightfully so) that the library becomes an attack > surface that makes the whole app or service vulnerable to maliciously > crafted input. The few people who are out there looking for and exploiting > every possible way to subvert the software stack are really making life > complicated and miserable for the rest of us. This is why we can't have > nice things. > > > On Nov 18, 2021, at 11:29 PM, Larry Gritz <[email protected]> wrote: > > From oiiotool, you just need to inject that attribute into the output, and > it will be understood by the dpx output (and ignored by any other formats, > because it starts with dpx:). > > oiiotool foo.exr --attrib "dpx:Packing" "Packed" -o out.dpx > > > > On Nov 18, 2021, at 11:33 AM, Andrew Klaassen < > [email protected]> wrote: > > Hi, > > I'm just starting to use oiiotool, and after reading through some of the > docs I haven't been able to figure this out: How can I output a DPX frame > with dpx:Packing = Packed? > > I see that the Bundled ImageIO Plugins page mentions this as a "custom I/O > feature", but I can't seem to find any option in oiiotool to access it. Is > it API-only, or is there a switch in oiiotool that I'm not seeing? > > Unfortunately, some of our tools are erroring out on the "Filled, method > A" packing that oiiotool outputs by default. > > Thanks. > > Andrew > > > [image: Brown Bag Films Logo] > *Andrew Klaassen* > Pipeline TD > +1.416.530.9900 x257 | brownbagfilms.com <https://www.brownbagfilms.com/> > _______________________________________________ > Oiio-dev mailing list > [email protected] > http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org > > > -- > Larry Gritz > [email protected] > > > > > _______________________________________________ > Oiio-dev mailing list > [email protected] > http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org > > > -- > Larry Gritz > [email protected] > > > > > _______________________________________________ > Oiio-dev mailing list > [email protected] > http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org >
_______________________________________________ Oiio-dev mailing list [email protected] http://lists.openimageio.org/listinfo.cgi/oiio-dev-openimageio.org
