[FFmpeg-devel] [RFC][PATCH] configure: Disable unsafe demuxers by default

Rostislav Pehlivanov atomnuker at gmail.com
Thu May 10 18:55:58 EEST 2018 

On 10 May 2018 at 16:44, Derek Buitenhuis <derek.buitenhuis at gmail.com>
wrote:

> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
>
> Disable building these by default.
>
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
>
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---
>  Changelog     | 1 +
>  configure     | 7 +++++++
>  tests/fate.sh | 1 +
>  3 files changed, 9 insertions(+)
>
> diff --git a/Changelog b/Changelog
> index d442ced..e3f8e83 100644
> --- a/Changelog
> +++ b/Changelog
> @@ -6,6 +6,7 @@ version <next>:
>  - tmix filter
>  - amplify filter
>  - fftdnoiz filter
> +- unsafe demuxers that render text files now disabled by default
>
>
>  version 4.0:
> diff --git a/configure b/configure
> index a1f13a7..2f2805e 100755
> --- a/configure
> +++ b/configure
> @@ -107,6 +107,7 @@ Configuration options:
>    --enable-small           optimize for size instead of speed
>    --disable-runtime-cpudetect disable detecting CPU capabilities at
> runtime (smaller binary)
>    --enable-gray            enable full grayscale support (slower color)
> +  --enable-unsafe-demuxers enable unsafe-by-default demuxers
>    --disable-swscale-alpha  disable alpha channel support in swscale
>    --disable-all            disable building components, libraries and
> programs
>    --disable-autodetect     disable automatically detected external
> libraries [no]
> @@ -1784,6 +1785,7 @@ FEATURE_LIST="
>      small
>      static
>      swscale_alpha
> +    unsafe_demuxers
>  "
>
>  LIBRARY_LIST="
> @@ -3100,6 +3102,7 @@ videotoolbox_encoder_deps="videotoolbox
> VTCompressionSessionPrepareToEncodeFrame
>
>  # demuxers / muxers
>  ac3_demuxer_select="ac3_parser"
> +adf_demuxer_deps="unsafe_demuxers"
>  aiff_muxer_select="iso_media"
>  asf_demuxer_select="riffdec"
>  asf_o_demuxer_select="riffdec"
> @@ -3107,6 +3110,7 @@ asf_muxer_select="riffenc"
>  asf_stream_muxer_select="asf_muxer"
>  avi_demuxer_select="iso_media riffdec exif"
>  avi_muxer_select="riffenc"
> +bintext_demuxer_deps="unsafe_demuxers"
>  caf_demuxer_select="iso_media riffdec"
>  caf_muxer_select="iso_media"
>  dash_muxer_select="mp4_muxer"
> @@ -3124,6 +3128,7 @@ flac_demuxer_select="flac_parser"
>  hds_muxer_select="flv_muxer"
>  hls_muxer_select="mpegts_muxer"
>  hls_muxer_suggest="gcrypt openssl"
> +idf_demuxer_deps="unsafe_demuxers"
>  image2_alias_pix_demuxer_select="image2_demuxer"
>  image2_brender_pix_demuxer_select="image2_demuxer"
>  ipod_muxer_select="mov_muxer"
> @@ -3167,6 +3172,7 @@ swf_demuxer_suggest="zlib"
>  tak_demuxer_select="tak_parser"
>  tg2_muxer_select="mov_muxer"
>  tgp_muxer_select="mov_muxer"
> +tty_demuxer_deps="unsafe_demuxers"
>  vobsub_demuxer_select="mpegps_demuxer"
>  w64_demuxer_select="wav_demuxer"
>  w64_muxer_select="wav_muxer"
> @@ -3176,6 +3182,7 @@ webm_muxer_select="iso_media riffenc"
>  webm_dash_manifest_demuxer_select="matroska_demuxer"
>  wtv_demuxer_select="mpegts_demuxer riffdec"
>  wtv_muxer_select="mpegts_muxer riffenc"
> +xbin_demuxer_deps="unsafe_demuxers"
>  xmv_demuxer_select="riffdec"
>  xwma_demuxer_select="riffdec"
>
> diff --git a/tests/fate.sh b/tests/fate.sh
> index 0edee7f..6a99d66 100755
> --- a/tests/fate.sh
> +++ b/tests/fate.sh
> @@ -49,6 +49,7 @@ configure()(
>          --enable-gpl                                                    \
>          --enable-memory-poisoning                                       \
>          --enable-avresample                                             \
> +        --enable-unsafe-demuxers                                        \
>          ${ignore_tests:+--ignore-tests="$ignore_tests"}                 \
>          ${arch:+--arch=$arch}                                           \
>          ${cpu:+--cpu="$cpu"}                                            \
> --
> 1.8.3.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

Could you send a patch to disable the decoders as well?
Looks good otherwise.

More information about the ffmpeg-devel mailing list