Announcement

**aviallon** · 03 October 2023, 02:51 AM

Originally posted by peterdk View Post

I expect that in the long run people/companies will require that codecs are written in memory safe languages.

Or even better, formally proven to be safe (using Prustli for instance).

**ssokolow** · 03 October 2023, 04:10 AM

Originally posted by bug77 View Post

Wait, what? A web page that tells my browser to encode things? Wth? I mean, it's possible, technically, but who really visits page that make them encode video?

That's what you get when you bake the building blocks for video conferencing into the browser.

**bug77** · 03 October 2023, 10:17 AM

Originally posted by ssokolow View Post

That's what you get when you bake the building blocks for video conferencing into the browser.

But video conferencing would encode your local stream, not something crafted by a 3rd party...
But the CVE is not about browsers, it's about libvpx encoding something from an html element. Not sure why you'd enable that. At least not by default. Then again, I did not read the whole CVE, maybe it's all explained in there, somewhere.

**ssokolow** · 03 October 2023, 04:59 PM

Originally posted by bug77 View Post

But video conferencing would encode your local stream, not something crafted by a 3rd party...
But the CVE is not about browsers, it's about libvpx encoding something from an html element. Not sure why you'd enable that. At least not by default. Then again, I did not read the whole CVE, maybe it's all explained in there, somewhere.

I think they're talking about HTMLCanvasElement.captureStream() and the corresponding methods on the video and audio tags, which were likely intended for stuff like doing OBS-style "Twitch streamer composited into the corner of the footage" compositing in the browser.

Announcement

VP8/VP9's libvpx 1.13.1 Released Due To A High Severity Vulnerability

Comment

Comment

Comment

Comment