Hacker News new | past | comments | ask | show | jobs | submit login

Of these, I'm pretty sure VLC is the most common software on end-user systems - and there are enough security advisories where a well-crafted video file can execute code with user privileges (like https://www.videolan.org/security/sa1801.html ), if you can automate that you have access to many personal computers in the EU



Also, VLC has a huge attack surface - binary parsing is difficult to do right in C / C++. I hope this effort makes the crashes less frequent...


There's work going on (since 2016) to port the parsers to Rust[1]. I believe that a few already are written in Rust, and it'd be great if some Rust folks would help out with the effort.

[1]: https://youtu.be/YTy_JOxGOd4


Is mpv [0] better in this regard?

0: https://mpv.io/


GP isn't saying that VLC is unsafe, but rather that C (which VLC is written in) tends to be unsafe. Seeing as MPV is also written in C, it's absolutely the same in that regard.


AFAIK both VLC and mpv use FFmpeg's codecs, so their attack surfaces should be similar.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: