[FFmpeg-devel] [PATCH v4] Unbreak av_malloc_max(0) API/ABI

Joakim Tjernlund Joakim.Tjernlund at infinera.com
Wed Nov 4 11:55:51 EET 2020


On Wed, 2020-11-04 at 10:51 +0100, Michael Niedermayer wrote:
> 
> On Tue, Nov 03, 2020 at 02:38:52PM +0100, Andreas Rheinhardt wrote:
> > Timo Rothenpieler:
> > > Given the multitude of recent serious security issues in Chromium-Based
> > > Browsers, is this even still an issue?
> > > Anything not up to date enough to have already been fixed has serious
> > > security issues and should be updated ASAP, which also fixes this issue
> > > in turn.
> > > 
> > > I'd rather see downstream users fix their stuff than introduce
> > > workarounds for broken downstreams into ffmpeg.
> > +1
> 
> I normally am in favor of helping downstreams but in this case
> I think there is maybe some risk of adding code which could somehow
> end up as part of an exploit.
> Asking for a more restrictive limit should not disable the limit,
> that feels a bit dangerous to me

Not adding this forces apps to stay on known vulnerable ffmpeg

 Jocke


More information about the ffmpeg-devel mailing list