top | item 45786348

(no title)

>rarely anyone ever uses

It's enabled by default so all that's required to exploit it would be to construct a payload file and name it movie.mp4

discuss

defrost|4 months ago

If only Google had the ability to custom compile FFmpeg to only include robust mainstream codecs.

In such a would they might even handball submitted obscure codecs to a full build in a sandbox to track bleeding edge malware.

Ukv|4 months ago

To my understanding this bug would affect anyone using ffmpeg on untrusted input. Google may already be limiting to certain codecs in their own use, but should still report the issue (as they have here).

haskellshill|4 months ago

Right, they probably already mitigated this bug in their own usage. Which is exactly why reporting the bug is a FAVOR to ffmpeg. Would you rather they just quietly fix it on their own and not report it to the maintainers?