security: fix command injection and buffer overflow vulnerabilities

[devin-ai-integration]

Summary

Addresses several security vulnerabilities found during a codebase audit:

tools/normalize.py — Eliminates shell command injection. The user-supplied filename (sys.argv[1]) was interpolated into a command string and executed with subprocess.check_output(..., shell=True). Replaced with a list-based invocation (shell=False), so filenames with shell metacharacters are no longer interpreted.

ffserver.c — Replaces 6 instances of unbounded strcpy/strcat with av_strlcpy/av_strlcat in the network-facing HTTP server code (start_children, http_parse_request, compute_status, open_input_stream). These prevent potential buffer overflows if source strings ever approach or exceed destination buffer sizes.

quick_demo.ipynb — Replaces os.system() with subprocess.run() using an argument list to eliminate shell injection via glob-derived filenames. (Note: the notebook diff is large due to JSON re-indentation from json.dump; the actual code change is a single line.)

Review & Testing Checklist for Human

• Verify av_strlcat size argument in start_children (line 513): The third arg must be the total buffer size, not remaining space. The buffer is allocated as slash - my_program_name + sizeof("ffmpeg") (or sizeof("ffmpeg") if no slash). Confirm the size expression matches the allocation.
• Verify av_strlcpy size arguments in compute_status: The expressions sizeof(sfilename) - (eosf - sfilename) compute remaining space from eosf to end of sfilename[1024]. Confirm these are correct given that eosf can be reassigned via strrchr.
• Confirm the notebook change is just the os.system → subprocess.run swap: The diff rewrites the entire notebook due to JSON reformatting. The only semantic change should be in the cell that previously called os.system('ffmpeg -y -loglevel error -i examples/{} -ar 16000 examples/tmp.wav'.format(ain)).

Notes

• The C changes were not compile-tested (no ./configure + make was run), since the build environment wasn't set up. The functions av_strlcpy/av_strlcat are declared in libavutil/avstring.h, which ffserver.c already includes (line 41).
• A full was produced covering additional findings (TLS verify defaults to off, missing ffserver authentication, weak RNG in benchmarks, etc.) that are documented but not fixed in this PR due to requiring architectural changes.

Link to Devin session: https://app.devin.ai/sessions/def8bac0843e4323957bd9a44a71cf4f
Requested by: @lien006

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring