[vlc-devel] [PACKAGERS] libavformat leak security advisory

Rémi Denis-Courmont remi at remlab.net
Tue Jan 19 21:05:15 CET 2016

On Tuesday 19 January 2016 20:49:35 Michael Niedermayer wrote:
> If you know of a security issue in FFmpeg 2.8.5, please provide details
> about that. I am not aware of a remaining related issue and none
> was reported to ffmpeg-security.

HLS is just one mean of URL indirection. Any redirection or "playlist" format, 
and probably some other less obvious means open the same window of attack as 
libavformat´s HLS.

The current libavformat concat is essentially an injection vulnerability.

> Also if you have a patch fixing an issue, as you describe, please
> share that patch so we can fix any remaining issue in FFmpeg

As was already discussed on libav-devel, I only know two solutions:

Rémi Denis-Courmont

More information about the vlc-devel mailing list