[FFmpeg-devel] Security issues?

Michael Niedermayer michaelni
Wed Sep 23 20:44:39 CEST 2009


On Wed, Sep 23, 2009 at 11:18:09AM -0700, Baptiste Coudurier wrote:
> On 09/23/2009 03:17 AM, Michael Niedermayer wrote:
>> On Tue, Sep 22, 2009 at 08:09:08PM +0200, Michael Niedermayer wrote:
>>> Hi
>>>
>>> lars has mailed me the following 2 links
>>> http://www.heise.de/newsticker/Sicherheitsluecken-in-VLC-und-FFmpeg--/meldung/145655
>>> http://secunia.com/advisories/36805/
>>
>> another mov issue (not security relevant!)
>> http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/29_mov_dref_looping.patch?revision=25014&view=markup
>>
>> i think this one can just be applied
>
> Nope, not security relevant, besides I'd like to see the file the causes 
> the problem. 

i havnt downloaded it but they list this one:
https://cevans-app.appspot.com/static/video/clockh264aac_200021889.mp4


> Because the counter is fixed and it will stop after some time, 
> although seeking around.

i think the issue is that it can seek back to the same spot so even a
very small file could tie up the demuxer for a long time until the
counter reachs zero

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

> ... defining _GNU_SOURCE...
For the love of all that is holy, and some that is not, don't do that.
-- Luca & Mans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090923/defb9be8/attachment.pgp>



More information about the ffmpeg-devel mailing list