On Fri, 11 May 2018 00:21:37 +0100 Rostislav Pehlivanov <atomnu...@gmail.com> wrote:
> On 10 May 2018 at 23:27, Paul B Mahol <one...@gmail.com> wrote: > > > On 5/11/18, wm4 <nfx...@googlemail.com> wrote: > > > On Thu, 10 May 2018 16:44:59 +0100 > > > Derek Buitenhuis <derek.buitenh...@gmail.com> wrote: > > > > > >> These demuxers have probes that mainly probe based on file extension, > > >> and map to codec IDs that render text as video. The result is that > > >> ffmpeg will, by default, happily render, for example, .txt files > > >> as images. This is not exactly a good security practice, an only > > >> makes it easier for potential attackers to gain the contents of > > >> system files. > > >> > > >> Disable building these by default. > > >> > > >> Signed-off-by: Derek Buitenhuis <derek.buitenh...@gmail.com> > > >> --- > > > > > > +1 > > > > > > You should send a patch that disables all those useless game demuxers > > > too. They only cause security issues and bloated library sizes. > > > > Against. > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > I agree with Paul, game demuxers are useful, don't bloat much and can be > fixed. Experience shows that it's always the obscure features which cause security issues. Regarding the bloat: these small things add up a lot, and suddenly you have hundreds of demuxers. It's hard to filter them out manually, and why make each user do that? Many of these game formats in particular probably have something like under a dozen files in the universe that exist at all (such as the files included in a particular game release). _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
