(thenewstack.io)

1125 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

theoldgreybeard ◴[11 Nov 25 19:50 UTC] No.45891941[source]▶

The vulnerability in question is a Use After Free. Google used AI to find this bug, it would've taken them 3 seconds to fix it.

Burning cash to generate spam bug reports to burden volunteer projects when you have the extra cash to burn to just fix the damn issue leaves a very sour taste in my mouth.

replies(4): >>45892004 #>>45892129 #>>45892230 #>>45895702 #

1. toast0 ◴[11 Nov 25 20:15 UTC] No.45892230[source]▶

>>45891941 #

Use After Free takes 3 seconds to fix if you defer free until the end of the program. If you have to do something else, or you don't want to leak memory, then it probably takes longer than 3 seconds.

Probably the right solution is to disable this codec. You should have to make a choice to compile with it; although if you're running ffmpeg in a context where security matters, you really should be hand picking the enabled codecs anyway.

↑

FFmpeg to Google: Fund us or stop sending bugs