[FFmpeg-devel] [PATCH v10 1/2] avformat/imf: Demuxer

Anton Khirnov anton at khirnov.net
Tue Dec 14 12:31:26 EET 2021


Quoting pal at sandflow.com (2021-12-13 06:43:35)
> From: Pierre-Anthony Lemieux <pal at palemieux.com>
> 
> Signed-off-by: Pierre-Anthony Lemieux <pal at palemieux.com>
> ---
> 
> Notes:
>     The IMF demuxer accepts as input an IMF CPL. The assets referenced by the CPL can be
>     contained in multiple deliveries, each defined by an ASSETMAP file:
>     
>     ffmpeg -assetmaps <path of ASSETMAP1>,<path of ASSETMAP>,... -i <path of CPL>
>     
>     If -assetmaps is not specified, FFMPEG looks for a file called ASSETMAP.xml in the same directory as the CPL.
>     
>     EXAMPLE:
>         ffmpeg -i http://ffmpeg-imf-samples-public.s3-website-us-west-1.amazonaws.com/countdown/CPL_f5095caa-f204-4e1c-8a84-7af48c7ae16b.xml out.mp4
>     
>     The Interoperable Master Format (IMF) is a file-based media format for the
>     delivery and storage of professional audio-visual masters.
>     An IMF Composition consists of an XML playlist (the Composition Playlist)
>     and a collection of MXF files (the Track Files). The Composition Playlist (CPL)

As far as I can tell, nothing enforces that the files opened are
actually MXF. Perhaps that should be done. Otherwise I can imagine at
least the danger of recursion.

More generally, I am somewhat concerned about the security implications
of all this. From a brief glance at the patch, the demuxer just opens
whatever arbitrary URLs it finds in the asset maps. Have you considered
what undesirable effects (like information leaks) this might have?

-- 
Anton Khirnov


More information about the ffmpeg-devel mailing list