User: Password:
|
|
Subscribe / Log in / New account

FFmpeg and a thousand fixes (Google Online Security Blog)

[Posted January 11, 2014 by jake]

Over on the Google Online Security Blog, Mateusz Jurczyk and Gynvael Coldwind describe the results of a few years of fuzzing FFmpeg, which is a cross-platform solution for handling audio and video. FFmpeg is used by numerous other projects including Google Chrome/Chromium, MPlayer, VLC, and xine. "We started relatively small by making use of trivial mutation algorithms, some 500 cores and input media samples gathered from readily available sources such as the samples.mplayerhq.hu sample base and FFmpeg FATE regression testing suite. Later on, we grew to more complex and effective mutation methods, 2000 cores and an input corpus supported by sample files improving the overall code coverage." Over 1000 bugs (including lots of security bugs) have been fixed in FFmpeg (and 400+ in Libav, which is a fork of FFmpeg).
(Log in to post comments)

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 6:14 UTC (Sat) by patrick_g (subscriber, #44470) [Link]

> Today, Libav is at 413 fixes and the library is slowly but surely catching up with FFmpeg.

So it means Debian/Ubuntu users are at risk?

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 9:16 UTC (Sat) by rbrito (subscriber, #66188) [Link]

Due to two family members that passed away this late 2013 (and the circumstances leading to them), I have not yet worked on my plan on packaging ffmpeg for Debian.

After having asked one very reasonable ffmpeg developer in private to know the real story, without euphemisms and political correctness, of the circumstances of the fork of libav, I made up my mind that regardless of the political grounds, on a technical ground, ffmpeg is superior and it is where the interesting things are happening.

I put a bit more of details in an e-mail to Josh Triplett at: http://bugs.debian.org/721317#18

Many things have changed since that e-mail of mine (e.g., libav now has a native VP9 decoder), but, in my experience, the same theme has stayed the same: in general, the innovations are happening in ffmpeg first.

I think that it was a technical mistake that Debian has "chosen" libav as the multimedia library (not that Debian really chose, since the ffmpeg maintainer of Debian/Ubuntu packages went to the libav side of the fork).

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 12:58 UTC (Sat) by Thue (subscriber, #14277) [Link]

This does sound very convincing in favor of ffmpeg: http://blog.pkh.me/p/13-the-ffmpeg-libav-situation.html

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 13:02 UTC (Sat) by mathstuf (subscriber, #69389) [Link]

We use FFmpeg at work and the issues we've seen is that libav has been a little more stable (behavior-wise, not necessarily API). We have datasets with encoded metadata (GPS location, FOV angles, etc.) and only libav has been able to decode all of the datasets with a single version. FFmpeg can do it, just not all in one release. Tweezing out the reasons hasn't been done (funding, time, and all that jazz), but it would be nice to have some better stability out of FFmpeg (and our bug report got some snarky responses IIRC).

That said, I personally use FFmpeg at home (my work with mpv, e.g.), but it does seem there are reasons to have libav around, even just as a data point for what works and what doesn't in different cases.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 21:23 UTC (Sat) by allesfresser (subscriber, #216) [Link]

So sorry for your loss, rbrito. Thanks for your work.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 12, 2014 3:36 UTC (Sun) by shmerl (guest, #65921) [Link]

Here is another review of this issue: https://github.com/mpv-player/mpv/wiki/FFmpeg-versus-Libav

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 12, 2014 5:11 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

Well, one inaccuracy in that is that FFmpeg no longer merges libav (directly). Here's some results from previous digging (2013-10-28 and I have low bandwidth right now; can't recheck):

% git merge-base libav/master origin/master
07c52e2c7c60b087fd023cd9771778973def0b33
% git name-rev 07c52e2c7c60b087fd023cd9771778973def0b33
07c52e2c7c60b087fd023cd9771778973def0b33 remotes/libav/master~836

commit 07c52e2c7c60b087fd023cd9771778973def0b33
Author: Luca Barbato <lu_zero@gentoo.org>
Date: Tue May 7 01:29:36 2013 +0200

% git merge-base v0.8.6 origin/master
4b63cc18bc44517f0f9e04b39ab873cbc3c6aee5
% git name-rev 4b63cc18bc44517f0f9e04b39ab873cbc3c6aee5
4b63cc18bc44517f0f9e04b39ab873cbc3c6aee5 tags/v0.8^0

commit 4b63cc18bc44517f0f9e04b39ab873cbc3c6aee5
Author: Reinhard Tartler <siretart@tauware.de>
Date: Sat Jan 21 18:37:25 2012 +0100

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 13, 2014 8:58 UTC (Mon) by GhePeU (subscriber, #56133) [Link]

So your story is that you asked for information about libav in their IRC channel and taking advantage of the fact that no libav developer was present (because, you know, people have lives) a ffmpeg developer who was lurking there first started badmouthing libav without disclosing that he wasn't involved in the project and then peddled you some (very likely) biased account of the split in private? And this behaviour, which, to use an euphemism, I don't really find very appropriate, convinced you that ffmpeg is better than libav?

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 13, 2014 10:27 UTC (Mon) by fandom (subscriber, #4028) [Link]

I understand that this is just practice, but when you go full time into politics you will have to be much better at twisting what the other guy said.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 13:36 UTC (Sat) by jmm (subscriber, #34596) [Link]

I've done quite some triaging on CVE IDs assigned for ffmpeg commits originating from the Google fuzzing effort as compared to libav in Debian.

Quite a bunch of them didn't affect libav because the code didn't exist there,

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 16:49 UTC (Sat) by hadrons123 (guest, #72126) [Link]

ffmpeg is already in deb-multimedia repos if you want. Its been uploaded into the mirrors in the last 48 hours. People can now choose what they want to use.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 12, 2014 3:38 UTC (Sun) by shmerl (guest, #65921) [Link]

I stopped using deb-multimedia after it messed up my Debian testing not long ago (with premature VLC update). Debian project also doesn't advise to use it in general, since incompatibilities can happen.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 12, 2014 9:37 UTC (Sun) by EricV (guest, #45164) [Link]

On the other I've been using deb-multimedia for years and have seldom faced any problem.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 11, 2014 17:51 UTC (Sat) by EricV (guest, #45164) [Link]

Note that because XBMC use its own internal copy of ffmpeg that is known to be quite outdated, users of XBMC are also exposed. This is true also for mplayer but mplayer use more current ffmpeg snapshots in general.

FFmpeg and a thousand fixes (Google Online Security Blog)

Posted Jan 12, 2014 11:38 UTC (Sun) by bojan (subscriber, #14302) [Link]

Just used ffmpeg 2.1.1 last night on Fedora 20 (nothing fancy: copy video and audio, remap streams, apply qscale factor etc.). Seems to be leaking memory. Have to run it under valgrind to find out where, but I guess that bit wasn't fixed. :-)


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds