Reconsidering ffmpeg in Debian
Reconsidering ffmpeg in Debian
Posted Aug 6, 2014 16:49 UTC (Wed) by amit (subscriber, #1274)Parent article: Reconsidering ffmpeg in Debian
It won't find all the security bugs arising out of improper handling of input streams, but would at least flag places which rely on user-controllable input that look suspicious, and that will give the developers a thought about the security aspect there.
Also, after the heartbleed fiasco, coverity is gaining some smarts in recognizing places that accept user input, so it's only a good thing to point coverity to a codebase that handles a lot of potentially hostile input.
Posted Aug 6, 2014 17:00 UTC (Wed)
by JGR (subscriber, #93631)
[Link]
Posted Aug 6, 2014 19:01 UTC (Wed)
by markh (subscriber, #33984)
[Link] (2 responses)
ffmpeg: https://scan.coverity.com/projects/54
Posted Aug 7, 2014 16:27 UTC (Thu)
by ux (guest, #98231)
[Link] (1 responses)
Coverity is quite nice BTW.
Posted Aug 13, 2014 8:55 UTC (Wed)
by ber (subscriber, #2142)
[Link]
Made me look into stand-a-lone Free Software security checking tools like cppcheck, flawfinder or ASan/TSan/MSan.
Reconsidering ffmpeg in Debian
Expecting a tool to "easily" find all "bad-code" related bugs seems somewhat optimistic to me.
Arguably the bulk of ffmpeg/libav is in some way involved in handling user-controllable input (ie. audio/video input).
Reconsidering ffmpeg in Debian
libav: https://scan.coverity.com/projects/106
Reconsidering ffmpeg in Debian
Reconsidering ffmpeg in Debian
Those are significant drawbacks.