[MPlayer-users] MPlayer -embeddedfonts option with ASS/SSA subtitles

[Alexander Strange]

On Nov 13, 2006, at 9:16 AM, Reimar Döffinger wrote:

>
> The (more or less) good reason is that it creates files on the system,
> and even worse, with arbitrary content and almost arbitrary (see  
> also at
> the end) filename as defined by the media file.
> Those will also be processed by both fontconfig and freetype, which in
> the official windows build are linked statically, and with noone
> checking and updating that one in the case of security issues in  
> any of
> these (same is true for other libs included, but they are not  
> avoidable
> without dropping support completely).
> Furthermore I feel unable to guarantee that the file name check in  
> ass.c,
> validate_fname will be correct and sufficient in all cases, on all  
> operating systems.

I think this is a very bad idea feature-wise, because -ass without - 
embeddedfonts is pretty much almost as bad as no -ass for most of the  
weird things people do.

If you're worried about filename safety, why preserve names in the  
first place? They don't matter to fontconfig that I know of.




> So if you want to change the default I can't stop you, but I will not
> bear any responsibility whatsoever. Which also means that I expect
> whoever does this to provide a patch in case a security issues is  
> found
> within 2 days max, and one that is proper, i.e. minimal but fixes the
> issue with minimal loss of functionality.