[FFmpeg-devel] API enhancements / broken promises
Tomas Härdin
tjoppen at acc.umu.se
Thu Aug 18 11:48:04 EEST 2022
ons 2022-08-17 klockan 19:21 +0200 skrev Michael Niedermayer:
>
> Now to achieve this do we need xml and json ?
> grep tells me we have 500 matches (not counting docs) for xml and
> almost 100
> for json
> Also for streaming and some cases filtering being able to serialize
> objects
> would be useful. xml and json seem better choices than some ad-hoc
> format
> So i would awnser the question do we need XML and JSON, with yes we
> live
> in a world that uses XML and JSON so if we give the option to use it
> too
> that makes it easier for others to interact.
>
> now do we need our own implementation of it ? I dont know but we have
> in almost all cases favored our native implementations when someone
> wrote
> one. And libxml2 has had so many security issues that i think we
> should
> at least consider replacing it.
Absolutely not. The solution is to fix and improve libxml2, not to add
to the problem with our own XML parser which will inevitably have its
own set of bugs. NIH for its own sake does nothing but split developer
effort and increase the number of bugs.
Parsing is hard and the source of the vast majority of CVEs. This
project should take the advice of the langsec community to heart.
Resist the urge to write your own shotgun parsers because it is "fun".
Make your protocol context-free or regular!
/Tomas
More information about the ffmpeg-devel
mailing list