←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0s | source
Show context
vqtska ◴[01 Nov 25 21:48 UTC] No.45785720[source]
I wonder if this vulnerable codec is enabled by default when building FFmpeg? Because if so, then it doesn't matter that it's a "1990s game codec" because any application using FFmpeg to accept arbitrary video files is vulnerable to memory corruption, which should probably be taken more seriously.
replies(4): >>45785760 #>>45785825 #>>45786027 #>>45786093 #
IshKebab ◴[01 Nov 25 22:40 UTC] No.45786093[source]
I checked with Ubuntu's ffmpeg and it is enabled by default. There are a huge list of codecs enabled by default (maybe all of them?). Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

I think the same is probably true for VLC to a lesser extent, which is pretty wild considering I've never heard of it being used as an attack vector, e.g. via torrents.

replies(3): >>45786299 #>>45787464 #>>45791239 #
haskellshill ◴[01 Nov 25 23:04 UTC] No.45786299[source]
VLC is pretty popular on windows, but ffmpeg? Is there any commonly used windows app that relies on it? I doubt it'd be worth one's time to write exploits for desktop linux
replies(5): >>45786332 #>>45788108 #>>45788182 #>>45788671 #>>45790151 #
1. michaelt ◴[01 Nov 25 23:09 UTC] No.45786332[source]
Depends if any important websites are re-compressing user-uploaded videos. If there's a website converting user-uploaded gifs to mp4 to save on bandwidth or something, I wouldn't be surprised if they used ffmpeg to do it.