[MPlayer-users] MPlayer -embeddedfonts option with ASS/SSA subtitles
Ergzay
ergzay at gmail.com
Thu Nov 16 21:37:31 CET 2006
On 2006/11/13, at 9:16, Reimar Döffinger wrote:
> Hello,
> On Mon, Nov 13, 2006 at 11:00:30AM +0100, Dominik 'Rathann'
> Mierzejewski wrote:
>> +1 for enabling it by default unless there are some good reasons why
>> it
>> shouldn't be.
>
> The (more or less) good reason is that it creates files on the system,
> and even worse, with arbitrary content and almost arbitrary (see also
> at
> the end) filename as defined by the media file.
> Those will also be processed by both fontconfig and freetype, which in
> the official windows build are linked statically, and with noone
> checking and updating that one in the case of security issues in any of
> these (same is true for other libs included, but they are not avoidable
> without dropping support completely).
> Furthermore I feel unable to guarantee that the file name check in
> ass.c,
> validate_fname will be correct and sufficient in all cases, on all
> operating systems.
> So if you want to change the default I can't stop you, but I will not
> bear any responsibility whatsoever. Which also means that I expect
> whoever does this to provide a patch in case a security issues is found
> within 2 days max, and one that is proper, i.e. minimal but fixes the
> issue with minimal loss of functionality.
So is the final decision "no" then? I am unable to do a patch myself as
my C++ knowledge is only basic (and yes I know this is C). MPlayer is
also very complex which further difficults things. So anyone?
Ergzay
More information about the MPlayer-users
mailing list