It is absolutely Google's security issue if they use an open source project with that license:
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/COPYING....
and then expect volunteers to provide them fixes.
It is absolutely Google's security issue if they use an open source project with that license:
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/COPYING....
and then expect volunteers to provide them fixes.
Google never asked a volunteer for a fix.
This is part of Google’s standard disclosure policy: it gets disclosed within 90 days starting from confirmation+contact.
If ffmpeg didn’t want to fix it, they could’ve just let the CVE get opened.
It's not just Google who could be affected by this.
> and then expect volunteers to provide them fixes.
Expect volunteers to provide everyone using the software with fixes.
For a bug in the LucasArts Smush codec? Why didn't you verify it was an mp4/h264 first?
Mp4 is an envelope codec, so it could be both an mp4 and an obscure codec