[FFmpeg-devel] [PATCH] avcodec/rscc: Avoid returning frames that have nearly no undamaged pixels in them
Derek Buitenhuis
derek.buitenhuis at gmail.com
Fri Jan 18 16:24:57 EET 2019
On 18/01/2019 11:46, Carl Eugen Hoyos wrote:
> No, you are completely missing the point.
I am not. I fully understand the argument in favour of these,
I just don't agree.
> Possible security issues in this decoder will only be
> searched (and therefore found) if the decoder doesn't
> timeout quickly on damaged files.
I am aware, and I disagree with the premise of dumping all over
the code and its complexity/readability in order to make a particular
fuzzer happy, so we can be 100% sure it won't miss an issue.
To that end, I've opened a bug with oss-fuzz for some guidance:
https://github.com/google/oss-fuzz/issues/2095
> I assume this is the result of a (simple) cost-benefit-
> analysis by the people running the fuzzing systems.
Yes, the cost of them running the tests, not dev/complexity costs
for downstream.
> Nobody asks you to fix the issues, blocking them is an
> interesting concept security-wise.
It makes plenty of code horrible and unnecessarily complex, so you
cannot simply argue "well you're not the one fixing them so bugger
off".
- Derek
More information about the ffmpeg-devel
mailing list