[FFmpeg-devel] [PATCH] lavc: Prevent opening of experimental codecs if strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL.

Michael Niedermayer michaelni at gmx.at
Fri Jan 13 16:33:13 CET 2012


On Fri, Jan 13, 2012 at 09:23:37AM -0500, compn wrote:
> On Fri, 13 Jan 2012 06:42:35 +0100, Michael Niedermayer wrote:
> >Some of these encoders may produce invalid bitstreams, which should not
> >be done without the user knowing.
> >Some of these decoders may be unfinished and may contain security issues.
> 
> >+            av_log(avctx, AV_LOG_ERROR, "Codec is experimental but experimental codecs are not enabled, see -strict -2\n");
> >+            ret = -1;
> >+            goto free_and_end;
> 
> would a warning be better? i dont like to force the user to type extra
> commands just to use certain decoders. but i am not that strong against
> this, just imo.

the problem with a warning is

"Experimental codec is going to be used, you have 50 milli seconds to
hit ctrl-c or your system will possibly be compromised in case the
file is crafted by a bad guy and the experimental codec contains a
security hole"

if someone wants we of course could check an environment variable or
something like that so users who wish all decoders to be auto selected
can force that or we could add a new codec cap for codecs that we
consider possibly not fully secure

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct awnser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120113/75b251d0/attachment.asc>


More information about the ffmpeg-devel mailing list