Hi Pavel On Tue, Jun 10, 2025 at 11:27:37AM -0600, Pavel Koshevoy wrote: > On Tue, Jun 10, 2025 at 9:29 AM Michael Niedermayer <mich...@niedermayer.cc> [...]
> I have never had any intention of introducing a > security vulnerability. do you agree that the patch should be reverted ? (and also the 2 backports of it) > If people want to keep this, it should be behind a flag and > > disabled by default. > > > I am not familiar with such flags ... are you suggesting a compile-time > flag, or a run-time flag? > A runtime flag would be preferable, because that would save me from having > to cross-compile win64 ffmpeg libs myself. runtime > > > Its not enough to fix our code that crashes, other applications > > similarly wont expect such id and type changes mid stream > > > IDK how likely a media type change is outside the 1_poc.mp4. 100% likelyness an exploit of this will use it > The sample > files I have don't do that. Your sample files are not exploits i assume. So obviously they dont > I can provide a 61MB clip of one such file, just a few seconds of SDR mpeg2 > video/audio slate followed by a few seconds of HDR10 hevc video and eac3 > audio... in case someone wants to work on making fftools support this. This file certainly is valuable and should be added to samples.ffmpeg.org BUT this security issue needs to be fixed, regardless of anyone adding support for such samples I dont think backporting midstream codec_id/type changes is a good idea btw. IMHO this should all be reverted (its a small 3 line patch) and then again start from scratch with review, testing, fuzzing, and runtime flag. PS: The researcher also wants a CVE# for this issue. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB What is money laundering? Its paying someone and not telling the government.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
