I don't think that's an accurate description of the full scope of the problem. T... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		inkysigma 32 days ago \| parent \| context \| favorite \| on: FFmpeg to Google: Fund us or stop sending bugs I don't think that's an accurate description of the full scope of the problem. The codec itself is mostly unused but the code path can possibly be triggered from file fuzzing that ffmpeg uses so a maliciously crafted payload (e.g. any run of ffmpeg that touches user input without disabling this codec) could possibly be exploited.

seb1204 31 days ago [–]

Why does google simply build their own ffmpeg from source without the codec?

woodruffw 31 days ago | [–]

They almost certainly do. But it's also in the public interest to responsibly disclose vulnerabilities in components that don't directly affect you.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact