[FFmpeg-devel] [PATCH v4] Unbreak av_malloc_max(0) API/ABI
Joakim Tjernlund
Joakim.Tjernlund at infinera.com
Wed Nov 4 16:08:23 EET 2020
On Wed, 2020-11-04 at 12:47 +0100, Timo Rothenpieler wrote:
>
> On 04.11.2020 10:55, Joakim Tjernlund wrote:
> > On Wed, 2020-11-04 at 10:51 +0100, Michael Niedermayer wrote:
> > >
> > > On Tue, Nov 03, 2020 at 02:38:52PM +0100, Andreas Rheinhardt wrote:
> > > > Timo Rothenpieler:
> > > > > Given the multitude of recent serious security issues in Chromium-Based
> > > > > Browsers, is this even still an issue?
> > > > > Anything not up to date enough to have already been fixed has serious
> > > > > security issues and should be updated ASAP, which also fixes this issue
> > > > > in turn.
> > > > >
> > > > > I'd rather see downstream users fix their stuff than introduce
> > > > > workarounds for broken downstreams into ffmpeg.
> > > > +1
> > >
> > > I normally am in favor of helping downstreams but in this case
> > > I think there is maybe some risk of adding code which could somehow
> > > end up as part of an exploit.
> > > Asking for a more restrictive limit should not disable the limit,
> > > that feels a bit dangerous to me
> >
> > Not adding this forces apps to stay on known vulnerable ffmpeg
>
> No it doesn't. It forces them to upgrade away from a known vulnerable
> old Chromium version to one that does not have the issue.
I was referring to what is out/released now. Eventually all SW will upgrade for one reason or another.
Jocke
More information about the ffmpeg-devel
mailing list