14 DAY TRIAL // In the past couple of years, Google has helped fix over 1,000 bugs in FFmpeg, the company announced.
Google has been using its data centers for fuzzing, which is a large scale automated testing called fault injection performed by data centers. FFMpeg is the free software project that is used to produce libraries and programs for a wide range of purposes, including streaming audio and video, recording and converting data.
“At Google, security is a top priority - not only for our own products, but across the entire Internet. That’s why members of the Google Security Team and other Googlers frequently perform audits of software and report the resulting findings to the respective vendors or maintainers, as shown in the official “Vulnerabilities - Application Security” list,” Google’s Mateusz Jurczyk and Gynvael Coldwind wrote in a blog post.
Numerous apps use FFmpeg, including Google’s own Chrome, but also popular media player VLC.
According to the company, in the past two years, over 1,000 bugs were fixed with their help, while another 400 bugs were fixed alongside developers of Libav.
“We are continuously improving our corpus and fuzzing methods and will continue to work with both FFmpeg and Libav to ensure the highest quality of the software as used by millions of users behind multiple media players. Until we can declare both projects "fuzz clean" we recommend that people refrain from using either of the two projects to process untrusted media files. You can also use privilege separation on your PC or production environment when absolutely required,” the announcement reads.
The two information security engineers from Google who were in charge of the blog post, detailed the entire process they’ve gone through in the past couple of years, including how they first started out giving a helping hand to the FFmpeg team.