On Tue, Jun 10, 2025 at 4:11 PM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> Hi Pavel > > On Tue, Jun 10, 2025 at 11:27:37AM -0600, Pavel Koshevoy wrote: > > On Tue, Jun 10, 2025 at 9:29 AM Michael Niedermayer < > mich...@niedermayer.cc> > [...] > > > I have never had any intention of introducing a > > security vulnerability. > > do you agree that the patch should be reverted ? > (and also the 2 backports of it) > No, since I already provided a fix -- I would cherry-pick it to the release/6.1 and release/7.1 as well, but you do as you wish. > > > > If people want to keep this, it should be behind a flag and > > > disabled by default. > > > > > > I am not familiar with such flags ... are you suggesting a compile-time > > flag, or a run-time flag? > > A runtime flag would be preferable, because that would save me from > having > > to cross-compile win64 ffmpeg libs myself. > > runtime > > > > > > > > Its not enough to fix our code that crashes, other applications > > > similarly wont expect such id and type changes mid stream > > > > > > IDK how likely a media type change is outside the 1_poc.mp4. > > 100% likelyness an exploit of this will use it > > > > The sample > > files I have don't do that. > > Your sample files are not exploits i assume. So obviously > they dont > > > > I can provide a 61MB clip of one such file, just a few seconds of SDR > mpeg2 > > video/audio slate followed by a few seconds of HDR10 hevc video and eac3 > > audio... in case someone wants to work on making fftools support this. > > This file certainly is valuable and should be added to samples.ffmpeg.org > > BUT this security issue needs to be fixed, regardless of > anyone adding support for such samples > > I dont think backporting midstream codec_id/type changes is a good > idea btw. > > IMHO this should all be reverted (its a small 3 line patch) > and then again start from scratch with review, testing, fuzzing, and > runtime flag. > > PS: The researcher also wants a CVE# for this issue. > IDK what this means. > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > What is money laundering? Its paying someone and not telling the > government. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
