[vlc-devel] [PATCH 00/13] Execute medialib queries out of the UI thread

Romain Vimont rom1v at videolabs.io
Mon Nov 30 09:34:32 CET 2020 

On Mon, Nov 30, 2020 at 04:30:55AM +0100, Pierre Ynard via vlc-devel wrote:
> > > Well my experience is that, if I enable the media library, VLC
> > > crashes immediately because of some demuxer bug. This is totally
> > > unacceptable.
> > >
> > > The root cause bug is most likely in an underlying library (and
> > > possibly failure of Debian to update), caused by a file in one of
> > > the standard media directory. Still, for the sake of reliability, it
> > > is totally insane and unacceptable that VLC crashes just because of
> > > a bug in a demuxer triggered by a file that is neither being played
> > > and in a directory that was not explicitly added.
> > >
> > > If this hits one out of a dozen of devs, how many million users will
> > > have VLC crash straight away?
> >
> > As you know, this is correctly tracked as #25119 whereas this
> > patchset tackles #22687. From my experience, this helped
> > highlighting a lot of issues in the code with sanitizers, like
> > prefetch so it at least served a better purpose for the user,
> > and we probably need to have a good report system (at least for
> > developers) if moved to a dedicated process. This should be
> > discussed on the #25119 though, as it's out of scope here.
> 
> Wow you guys are a bit scary. I'm glad that you mention the opportunity
> to sanitize code, but I can't help but react on the security concerns
> of this. That kind of feature is a staple of remote exploit or worm
> scenarios: first desktop UX developers come up with a streamlined
> vision, then the web browser or some other application has auto-download
> or auto-saving of files, then a media component (VLC here) has
> auto-indexing with preparsing, auto-thumbnailing or whatever else,
> then all you need is to inject from anywhere a file in some obscure,
> little-known and poorly maintained demux or codec format with unpatched
> vulnerabilities in that third-party library, and there you go, automated
> RCE. This is the kind of story where you get laughed at by security
> people.

I share your concerns, this is the kind of issues leading to many
vulnerabilities in Android:
https://en.wikipedia.org/wiki/Stagefright_(bug)

In the end, the indexing/preparsing process will (have to) be sandboxed.

Regards

More information about the vlc-devel mailing list