[FFmpeg-devel] [PATCH 3/3] avformat: add youtube-dl based demuxer

wm4 nfxjfg at googlemail.com
Fri Apr 10 11:17:16 CEST 2015

On Fri, 10 Apr 2015 08:29:58 +0200
Reimar Döffinger <Reimar.Doeffinger at gmx.de> wrote:

> On 08.04.2015, at 19:30, Hendrik Leppkes <h.leppkes at gmail.com> wrote:
> > On Wed, Apr 8, 2015 at 7:27 PM, Gilles Chanteperdrix
> > <gilles.chanteperdrix at xenomai.org> wrote:
> >> 
> >>> Nice security hole.
> >> 
> >> how is that ? I do not see any buffer overflow possible.
> >> 
> > 
> > Executing a command with system() is very unsafe.
> These kind of issues are btw. one of the reasons that from my point of view speak for having such functionality in FFmpeg
> If you leave it to the applications, at least half of them will have such security holes.

Not at all. This is the case for using better ways to call subprocesses
(depending on the language you're using). But C already has
posix_spawn(), and other languages have even better ways to handle such

At least 90% of the effort required to use youtube-dl is spawning a
subprocess and parsing json, both very general things.

> I admit that I can understand people being nervous about such code in FFmpeg though...

More information about the ffmpeg-devel mailing list