On 04.12.2016 23:42, Rostislav Pehlivanov wrote:
> On 4 December 2016 at 21:54, Andreas Cadhalpun <
> andreas.cadhal...@googlemail.com> wrote:
>> As I already wrote elsewhere, I don't think disabling this by default is
>> good,
>> as it will likely cause it to bitrot. Better require '-strict
>> experimental'.
>>
>>
> What about the security reasons listed below?
If it requires the user to explicitly add '-strict experimental', it can't
be exploited in practice.
Also I'm not sure there are any real security issues with this demuxer.
>>> +For security reasons this demuxer is disabled by default, should be
>>> +enabled though the @code{--enable-demuxer=ffprobe} configure option.
>>> +
>>
>>
> Does that mean the demuxer needs to be fuzzed or does it need to be
> insecure to work?
I've fuzzed it already and only found the things I mentioned.
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
