[FFmpeg-devel] [PATCH] lavfi/drawtext: add support for printing frame numbers
Nicolas George
nicolas.george at normalesup.org
Thu Nov 22 12:22:59 CET 2012
Le duodi 2 frimaire, an CCXXI, Stefano Sabatini a écrit :
> + at item n
> +The frame number, starting from 0. It can accept one argument: the
> +printf() format to use for printing the number, if not specified it
> +defaults to @code{%d}.
Apart from the fact that it encourages people to use the frame number, which
is wrong but is not actually a problem, I have two problems with this patch.
First, very minor, I find "n" way too short. "frameno"?
Second, more severe: format string vulnerability. Until now, a server can
accept an arbitrary text, quote it or store it in a file, and feed it to
drawtext: the worst that can happen is that the %{...} are malformed and
drawtext will fail gracefully. With this change, %{n:%n}, for example, will
cause a segfault, and a more carefully crafted format can lead to an
exploit.
That is exactly the reason I did not implement the same feature for the
"pts" function. At some point I intend to, but the format string needs to be
sanitized somehow.
Regards,
--
Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121122/00cc49da/attachment.asc>
More information about the ffmpeg-devel
mailing list