Skip to content

Security: cap E-RTMP multitrack sub-track count (fixes #131)#132

Merged
AlexanderWagnerDev merged 17 commits into
mainfrom
cursor/application-security-review-6876
Jul 16, 2026
Merged

Security: cap E-RTMP multitrack sub-track count (fixes #131)#132
AlexanderWagnerDev merged 17 commits into
mainfrom
cursor/application-security-review-6876

Conversation

@cursor

@cursor cursor Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Security fix

Fixes #131

Finding

Severity: Medium (CPU exhaustion / poll-loop DoS)
Location: src/ertmp/multitrack_media.rs

Problem

foreach_track parsed an unbounded number of sub-tracks from a single E-RTMP multitrack A/V message. A 4 MiB ManyTracks container can encode ~1,048,574 zero-byte sub-tracks, each triggering on_frame_cb and intermediate Vec allocations. Nested inside aggregate messages (4096 sub-tag cap), amplification multiplies further.

Fix

  • Introduce MAX_MULTITRACK_SUBTRACKS = 4096 (matching the existing aggregate sub-tag cap).
  • Reject containers exceeding the cap before invoking callbacks.
  • Add regression test rejects_multitrack_messages_with_too_many_subtracks.

Verification

cargo test --no-default-features multitrack — all 21 multitrack-related tests pass.

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Summary by CodeRabbit

  • Bug Fixes
    • Added a limit of 4,096 sub-tracks when processing multitrack media.
    • Prevented oversized multitrack messages from producing additional track data.
    • Improved handling of messages that exceed the supported sub-track limit.

Reject multitrack containers with more than 4096 sub-tracks, matching
the existing aggregate sub-tag cap. A single 4 MiB message could
otherwise encode ~1M zero-byte tracks and force millions of callback
iterations per poll tick.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@AlexanderWagnerDev AlexanderWagnerDev marked this pull request as ready for review July 16, 2026 11:13
@AlexanderWagnerDev

Copy link
Copy Markdown
Contributor

@CodeRabbit review

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e34d620f-e10d-4217-be01-173668c9990c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a 4096-sub-track cap to multitrack parsing and verifies successful parsing at the limit plus rejection with no callbacks when the limit is exceeded.

Changes

Multitrack parser limit

Layer / File(s) Summary
Sub-track cap and boundary tests
src/ertmp/multitrack_media.rs
Defines MAX_MULTITRACK_SUBTRACKS, enforces it in foreach_track, and tests callback counts for messages at and above the limit.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: alexanderwagnerdev

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: capping E-RTMP multitrack sub-track parsing for a security fix.
Linked Issues check ✅ Passed The PR implements the requested 4096 sub-track cap and rejects oversized containers before callbacks, matching issue #131.
Out of Scope Changes check ✅ Passed The changes stay focused on multitrack parsing limits and regression tests, with no clear unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/application-security-review-6876

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@AlexanderWagnerDev

Copy link
Copy Markdown
Contributor

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e43436364f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +112 to +113
if tracks.len() >= MAX_MULTITRACK_SUBTRACKS {
return false;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't report over-limit multitrack as ordinary media

When a publisher sends a multitrack container with more than 4096 subtracks, this new branch makes foreach_track return false, but callers such as Conn::handle_media_message and Client::deliver_av_frame_cb interpret false as “not multitrack” and then invoke the normal single-frame callback/relay path. That means the over-limit packet is not actually rejected at the session/client layer; it is reclassified as an opaque ordinary media frame. Please return a distinguishable parse error/drop signal, or have callers avoid the fallback when is_multitrack_container(...) was true.

Useful? React with 👍 / 👎.

@AlexanderWagnerDev AlexanderWagnerDev merged commit 08d9bfa into main Jul 16, 2026
32 checks passed
@AlexanderWagnerDev AlexanderWagnerDev deleted the cursor/application-security-review-6876 branch July 16, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

E-RTMP multitrack parser allows CPU amplification via unbounded sub-track count

2 participants