On 01/06/2018 11:23, Liang Xia wrote:
Issues for clarification:
In Security Considerations, besides the DoS attacks brought by the malicious
payloads, is there any other kinds of attack possibly? For example, virus or
worm are hidden in the malicious payloads to attack the system for more
damages? Does it make sense and what's the consideration?
IMO transport of virus or worm is doable in the bitstream and could
attack the system if there are buffer overflows in the decoding
software, but not more dangerous than any other protocol or format (it
depends on bugs in the decoding software).
Checking e.g. Opus spec (I tried AV1 draft, but no security chapter
right now if I well searched), I see generic sentences like:
"It is extremely
important for the decoder to be robust against malicious payloads.
Malicious payloads must not cause the decoder to overrun its
allocated memory or to take an excessive amount of resources to
decode."
"The reference implementation contains no known buffer overflow or
cases where a specially crafted packet or audio segment could cause a
significant increase in CPU load. "
"The reference implementation was validated in the following
conditions: (...)" (note: we ran same tests on our side)
We could add such sentences in FFV1 security section.
About the reference decoder, there are some hard coded limitations (e.g.
maximum 1024 slices per frame, arbitrary choice which is sometimes
increased in the code) for dropping frames which could use too much
memory, and the decoder tries to allocate memory for big frames (e.g. if
you try to decode de 1,000,000x1,000,000 pixel frames, FFmpeg will try
to allocate corresponding memory as for any other format, and rejects
the frame because memory can not be allocated. I don't think it is worth
it to put details about that in spec, as FFmpeg code may change, maybe
the generic sentences are enough?
Thank you for your review.
Jérôme
