Hacker News new | ask | show | jobs
by fpoling 2 hours ago
Browsers run it in a sandbox process together with allocator hardening. Most of the bugs then are just crashed of the sandbox

Another option is WASM or WASM-style sandboxes if using another process is undesirable.
1 comments
johnnythunder 2 hours ago
One chained sandbox escape away from compromise.
link
loeg 1 hour ago
Which is of course better than zero sandbox escapes.
link
ttoinou 2 hours ago
Ahah

But are the compiler+OS that runs the ffmpeg executable really a sandbox ?

link