FFV1: Add security considerations

Based on RFC6716 Github: Closes #20 Reviewed-by: Dave Rice <dave@dericed.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
FFmpeg · Jul 12, 2016 · 41cc0f2 · 41cc0f2
1 parent 5abe932
commit 41cc0f2
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/ffv1.md b/ffv1.md
@@ -902,6 +902,23 @@ For each frame, each position in the slice raster MUST be filled by one and only
 
 For each Frame with keyframe value of 0, each slice MUST have the same value of slice\_x, slice\_y, slice\_width, slice\_height as a slice in the previous frame, except if reset\_contexts is 1.
 
+# Security Considerations
+
+Like any other codec, (such as [OPUS](#references)), FFV1 should not be used with insecure ciphers or cipher-modes that are vulnerable to known plaintext attacks. Some of the header bits as well as the padding are easily predictable.
+
+Implementations of the FFV1 codec need to take appropriate security considerations into account, as outlined in [DOS](#references). It is extremely important for the decoder to be robust against malicious payloads. Malicious payloads must not cause the decoder to overrun its allocated memory or to take an excessive amount of resources to decode.  Although problems in encoders are typically rarer, the same applies to the encoder.  Malicious video streams must not cause the encoder to misbehave because this would allow an attacker to attack transcoding gateways. A frequent security problem in image and video codecs is also to not check for integer overflows in pixel count computations, that is to allocate width * height without considering that the multiplication result may have overflowed the arithmetic types range.
+
+The reference implementation [REFIMPL](#references) contains no known buffer overflow or cases where a specially crafted packet or video segment could cause a significant increase in CPU load.
+
+The reference implementation [REFIMPL](#references) was validated in the following conditions:
+
+* Sending the decoder valid packets generated by the reference encoder and verifying that the decoder's output matches the encoders input.
+* Sending the decoder packets generated by the reference encoder and then subjected to random corruption.
+* Sending the decoder random packets that are not FFV1.
+
+In all of the conditions above, the decoder and encoder was run inside the Valgrind [VALGRIND](#references) memory debugger as well as clangs address sanitizer [ASAN](#references), which track reads and writes to invalid memory regions as well as the use of uninitialized memory.  There were no errors reported on any of the tested conditions.
+
+
 # Appendixes
 
 ## Decoder implementation suggestions
@@ -965,6 +982,16 @@ Information technology Coding of audio-visual objects Part 12: ISO base media fi
 
 NUT Open Container Format <https://www.ffmpeg.org/~michael/nut.txt>
 
+DOS Handley, M., Rescorla, E., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006.
+
+VALGRIND "Valgrind website", <http://valgrind.org/>.
+
+ASAN Addresss Sanitizer, <http://clang.llvm.org/docs/AddressSanitizer.html>.
+
+REFIMPL, The reference FFV1 implementation / the FFV1 codec in FFmpeg, <https://ffmpeg.org/>.
+
+OPUS, Definition of the Opus Audio Codec, <https://www.ietf.org/rfc/rfc6716.txt>
+
 # Copyright
 
 Copyright 2003-2013 Michael Niedermayer \<michaelni@gmx.at\>