[bawolff]

> Not to mention they just have a vested interest in getting the problem solved. Even if we don't talk about money.

Correct me if im wrong, but based on the report this looks like something that would affect regular users of ffmpeg but not google's use.

[godelski]

FWIW I tried replicating it and didn't get the same result. I end up with a failed conversion, exit code 69[0]. Same thing when I run with my installed version of ffmpeg.

But I think Google would still be concerned. Even if they're running ffmpeg in a sandbox you can escape sandboxes. The sandbox is a security layer, not what makes the thing safe. You should be using it as a layer of defense for unknown vulns, and try to resolve vulns. I mean Google is much more likely to have an attacker trying to chain a vuln with a sandbox escape than the average user.

Btw:

  ffmpeg -codecs | cat | grep SANM 2&>/dev/null
  ffmpeg version n8.0 Copyright (c) 2000-2025 the FFmpeg developers
  ... ffmpeg flags ...
  D.V.L. sanm                 LucasArts SANM/SMUSH video

So my version does have that codec, as others are reporting.

[0] Will expire soon https://0x0.st/KL6K.log

[DISCLOSURE]: I AM NOT A SECURITY PROFESSIONAL. If I am wrong please correct me

[jsnell]

You're running version 8.0. That's the version where this was fixed.