[MPlayer-users] MPlayer -embeddedfonts option with ASS/SSA subtitles

Reimar Döffinger Reimar.Doeffinger at stud.uni-karlsruhe.de
Mon Nov 13 15:16:12 CET 2006


Hello,
On Mon, Nov 13, 2006 at 11:00:30AM +0100, Dominik 'Rathann' Mierzejewski wrote:
> +1 for enabling it by default unless there are some good reasons why it
> shouldn't be.

The (more or less) good reason is that it creates files on the system,
and even worse, with arbitrary content and almost arbitrary (see also at
the end) filename as defined by the media file.
Those will also be processed by both fontconfig and freetype, which in
the official windows build are linked statically, and with noone
checking and updating that one in the case of security issues in any of
these (same is true for other libs included, but they are not avoidable
without dropping support completely).
Furthermore I feel unable to guarantee that the file name check in ass.c,
validate_fname will be correct and sufficient in all cases, on all operating systems.
So if you want to change the default I can't stop you, but I will not
bear any responsibility whatsoever. Which also means that I expect
whoever does this to provide a patch in case a security issues is found
within 2 days max, and one that is proper, i.e. minimal but fixes the
issue with minimal loss of functionality.

Greetings,
Reimar Döffinger



More information about the MPlayer-users mailing list