top | item 10898287

(no title)

drv | 10 years ago

Anyone running FFmpeg[1] on untrusted input without sandboxing of some kind is being extremely negligent. It's around a million lines of C that does tricky file format parsing and decoding. There will definitely be bugs in any given version, and some of those bugs will be exploitable.

[1] Or any related tool (ffprobe, etc.), or any tool that uses the libav* libraries, or really any non-trivial multimedia processing tool...

discuss

No comments yet.