[FFmpeg-devel] [PATCH] avformat/options_table: Set the default maximum number of streams to 100

Michael Niedermayer michael at niedermayer.cc
Sat Dec 10 21:20:07 EET 2016


On Fri, Dec 09, 2016 at 06:56:53AM -0500, Ronald S. Bultje wrote:
> Hi,
> 
> On Thu, Dec 8, 2016 at 7:03 PM, Andreas Cadhalpun <
> andreas.cadhalpun at googlemail.com> wrote:
> 
> > On 08.12.2016 22:59, Carl Eugen Hoyos wrote:
> > > 2016-12-08 18:37 GMT+01:00 Michael Niedermayer <michael at niedermayer.cc>:
> > >
> > >> -{"max_streams", "maximum number of streams", OFFSET(max_streams),
> > AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D },
> > >> +{"max_streams", "maximum number of streams", OFFSET(max_streams),
> > AV_OPT_TYPE_INT, { .i64 = 100 }, 0, INT_MAX, D },
> > >
> > > I wanted to suggest 1000 which is still a magnitude less than the
> > provided
> > > crashing sample but 255 also sounds ok to me.
> >
> > Either value is OK. The important thing is that it's several orders of
> > magnitude lower than INT_MAX.
> 
> 
> On IRC, we discussed at what values OOM start occurring, which seems to be
> around 30k-60k, so from there I suggested a value like 10k or 5k. 1000
> seems a little low but I think I can live with it (I doubt ATM I can come
> up with legit use cases that use 1000 streams).
> 

> If people hit the limit (whatever value we choose), I would propose that we
> make the error message very specific, something similar to
> AVERROR_PATCHWELCOME. This way, people understand this is not a hard
> limitation and can be changed easily; fuzzers will obviously ignore this
> message.

new patchset with higher limit, error messsage and reference to the
CVE# posted

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161210/f860e0e3/attachment.sig>


More information about the ffmpeg-devel mailing list