←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 2 comments | 01 Nov 25 20:59 UTC | HN request time: 0.405s | source
Show context
vqtska ◴[01 Nov 25 21:48 UTC] No.45785720[source]
I wonder if this vulnerable codec is enabled by default when building FFmpeg? Because if so, then it doesn't matter that it's a "1990s game codec" because any application using FFmpeg to accept arbitrary video files is vulnerable to memory corruption, which should probably be taken more seriously.
replies(4): >>45785760 #>>45785825 #>>45786027 #>>45786093 #
IshKebab ◴[01 Nov 25 22:40 UTC] No.45786093[source]
I checked with Ubuntu's ffmpeg and it is enabled by default. There are a huge list of codecs enabled by default (maybe all of them?). Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

I think the same is probably true for VLC to a lesser extent, which is pretty wild considering I've never heard of it being used as an attack vector, e.g. via torrents.

replies(3): >>45786299 #>>45787464 #>>45791239 #
ls612 ◴[02 Nov 25 02:41 UTC] No.45787464[source]
I think that the x264 and hevc codecs are much more battle tested and a 0day for them would be worth enough that nobody would bother using it on random torrenters.
replies(1): >>45788786 #
IshKebab ◴[02 Nov 25 08:39 UTC] No.45788786[source]
But you don't need to use a popular codec, because all codecs are enabled by default.
replies(1): >>45791078 #
ls612 ◴[02 Nov 25 15:38 UTC] No.45791078[source]
Yeah but most public trackers will give lots of side eye to torrents that contain an mkv that isn’t in one of those two formats.
replies(1): >>45793595 #
1. IshKebab ◴[02 Nov 25 21:27 UTC] No.45793595[source]
Really? You think trackers download files and analyse their contents before listing them? I don't.
replies(1): >>45794519 #
2. ls612 ◴[02 Nov 25 23:58 UTC] No.45794519[source]
TPB? No. But 1337 and rutracker definitely do basic quality control. Nothing like a private tracker but they take down things like .mkv.lnk and similar.