[FFmpeg-devel] [PATCH v4] Unbreak av_malloc_max(0) API/ABI

Timo Rothenpieler timo at rothenpieler.org
Wed Nov 4 13:47:26 EET 2020


On 04.11.2020 10:55, Joakim Tjernlund wrote:
> On Wed, 2020-11-04 at 10:51 +0100, Michael Niedermayer wrote:
>>
>> On Tue, Nov 03, 2020 at 02:38:52PM +0100, Andreas Rheinhardt wrote:
>>> Timo Rothenpieler:
>>>> Given the multitude of recent serious security issues in Chromium-Based
>>>> Browsers, is this even still an issue?
>>>> Anything not up to date enough to have already been fixed has serious
>>>> security issues and should be updated ASAP, which also fixes this issue
>>>> in turn.
>>>>
>>>> I'd rather see downstream users fix their stuff than introduce
>>>> workarounds for broken downstreams into ffmpeg.
>>> +1
>>
>> I normally am in favor of helping downstreams but in this case
>> I think there is maybe some risk of adding code which could somehow
>> end up as part of an exploit.
>> Asking for a more restrictive limit should not disable the limit,
>> that feels a bit dangerous to me
> 
> Not adding this forces apps to stay on known vulnerable ffmpeg

No it doesn't. It forces them to upgrade away from a known vulnerable 
old Chromium version to one that does not have the issue.


More information about the ffmpeg-devel mailing list