←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 6 comments | 01 Nov 25 20:59 UTC | HN request time: 0s | source | bottom
Show context
cebert ◴[01 Nov 25 21:41 UTC] No.45785659[source]
It looks like the FFmpeg account on X is calling out Google for using AI to mass-report CVEs in obscure volunteer maintained codecs, then expecting unpaid maintainers to rush fixes. Large, profitable firms rely on FFmpeg everywhere, but don’t seem to be contributing much to the project.
replies(4): >>45786257 #>>45786260 #>>45786339 #>>45792437 #
1. TZubiri ◴[01 Nov 25 23:00 UTC] No.45786257[source]
You think google uses ffmpeg for youtube?
replies(2): >>45786261 #>>45786999 #
2. joatmon-snoo ◴[01 Nov 25 23:00 UTC] No.45786261[source]
They do.
replies(1): >>45786433 #
3. defrost ◴[01 Nov 25 23:26 UTC] No.45786433[source]
Full build with all the codecs, or a custom build with a limited vetted set?
replies(1): >>45786989 #
4. Telaneo ◴[02 Nov 25 00:59 UTC] No.45786989{3}[source]
Does it matter?

Like, I don't expect Google to deliver patches for FFmpeg beyond bug fixes or features that directly benefit them, but that's the least you can expect.

replies(1): >>45787512 #
5. Telaneo ◴[02 Nov 25 01:02 UTC] No.45786999[source]
They did once upon a time atleast.[1] Most videos probably go through dedicated hardware nowadays, but it wouldn't surprise me if some videos still have to go the FFmpeg route that catches all the videos that the dedicated hardware can't handle.

[1] https://web.archive.org/web/20110315155125/https://multimedi...

6. defrost ◴[02 Nov 25 02:52 UTC] No.45787512{4}[source]
It matters to Google if they process public submitted videos using FFmpeg codecs that can be exploited.

One would expect Google to only use FFmpeg with vetted codecs and to either reject videos with codecs that have untrusted FFmpeg modules or to sandbox any such processing, both for increased safety and perhaps to occassionally find new malware "in the wild".