2017-11-04 10:23 GMT+01:00 Paul B Mahol <one...@gmail.com>: > On 11/4/17, Carl Eugen Hoyos <ceffm...@gmail.com> wrote: >> 2017-11-01 17:03 GMT+01:00 Carl Eugen Hoyos <ceffm...@gmail.com>: >>> 2017-11-01 17:01 GMT+01:00 Paul B Mahol <one...@gmail.com>: >>>> On 11/1/17, Carl Eugen Hoyos <ceffm...@gmail.com> wrote: >>>>> 2017-11-01 15:40 GMT+01:00 Paul B Mahol <one...@gmail.com>: >>>>>> On 11/1/17, Carl Eugen Hoyos <ceffm...@gmail.com> wrote: >>>>>>> Hi! >>>>>>> >>>>>>> It appears to me that the alac decoder can be used for DoS, >>>>>>> the attached patch limits the maximum frame size to eight >>>>>>> times the default value. >>>>>>> (Higher values brake our encoder here.) >>>>>>> >>>>>>> Please comment and / or suggest another value, Carl Eugen >>>>>>> >>>>>> >>>>>> So alac encoder can not handle bigger frames or what? >>>>>> >>>>>> Look at other alac encoders, what are their limit on frame size? >>>>> >>>>> I am not sure if it is enough to look on Apple's encoder, after >>>>> all, their decoder looks exploitable (or maybe I miss something). >>>>> >>>>>> The limit you set is too low IMHO. >>>>> >>>>> Could you suggest a limit that's below the several-GB area? >>>> >>>> I remmeber some lossless audio codecs can have very big >>>> frames, several MB. >>> >>> So what about 4096 * 4096 as an arbitrary limit? >> >> Any opinion? > > ok
Patch applied. Thank you, Carl Eugen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
