This is a simple patch to mark SMUSH experimental so it doesn't
autoselect when choosing the codec. This prevents a malicious file from
exploiting CVE-2025-59734 when a user isn't explicitly choosing that codec.
I have tested this against Google's reference payload with and without
this change.
I've never submitted to ffmpeg before, so apologies if I'm in the wrong
place or missing something.
---
libavformat/smush.c | 1 +
1 file changed, 1 insertion(+)
mode change 100644 => 100755 libavformat/smush.c
diff --git a/libavformat/smush.c b/libavformat/smush.c
old mode 100644
new mode 100755
index d380bfbff1..3389bb630f
--- a/libavformat/smush.c
+++ b/libavformat/smush.c
@@ -256,6 +256,7 @@ static int smush_read_packet(AVFormatContext *ctx,
AVPacket *pkt)
const FFInputFormat ff_smush_demuxer = {
.p.name = "smush",
.p.long_name = NULL_IF_CONFIG_SMALL("LucasArts Smush"),
+ .p.flags = AVFMT_EXPERIMENTAL,
.priv_data_size = sizeof(SMUSHContext),
.read_probe = smush_read_probe,
.read_header = smush_read_header,
--
2.43.0
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
