undefined | Better HN

0 pointsdefrost4mo ago0 comments

If only Google had the ability to custom compile FFmpeg to only include robust mainstream codecs.

In such a would they might even handball submitted obscure codecs to a full build in a sandbox to track bleeding edge malware.

0 comments

Ukv4mo ago

To my understanding this bug would affect anyone using ffmpeg on untrusted input. Google may already be limiting to certain codecs in their own use, but should still report the issue (as they have here).

GaryBluto4mo ago

Yeah but who cares about them, right? It's a volunteer project don't you know.

haskellshill4mo ago

Right, they probably already mitigated this bug in their own usage. Which is exactly why reporting the bug is a FAVOR to ffmpeg. Would you rather they just quietly fix it on their own and not report it to the maintainers?

defrostOP4mo ago

> Right, they probably already mitigated this bug in their own usage.

Indeed. A step so obvious it renders comments such as this:

  It's enabled by default so all that's required to exploit it would be to construct a payload file and name it movie.mp4

moot.

> Which is exactly why reporting the bug is a FAVOR to ffmpeg.

Not sure you have to SHOUT the obvious.

> Would you rather they just quietly fix it on their own and not report it to the maintainers?

What do you suppose the answer to that question to be?

Rebelgecko4mo ago

There's this weird "damned if you do, damned if you don't" situation on social media where people try to help and get reamed for not doing enough. Taylor Swift donated $500k to charity and people complaining she didn't round up to a million. After all, she can afford it.

But she ends up getting more criticism than the billionaire who donates nothing. Seems unfair but I guess it's human nature.

array_key_first4mo ago

I would rather they fix it and submit a patch like normal fucking people.

j / k navigate · click thread line to collapse