How to handle media files from untrusted sources?

Indeed, there are many vulnerabilities in FFmpeg and alike, many of them discovered by researcher at Google with fuzzing technique. Updating your player, encoder and codecs is a must to reach a secure system as far possible.

If you have to deal with (media) files from untrusted sources, I may suggest handling them in a “virtual container“. Check out some of the solutions like VMware or VirtualBox which provide free versions.

I'm working as a security researcher and my team is relying on this approach for all critical file-types (media, documents, executables, etc.). It has some negative impact on comfort and performance, usually just in a minor way. But sometimes this is the price you have to pay for security.


Given the number of codecs and players today, bad things may indeed happen.

Regarding on "What to do?" I found a pretty simple solution: I use my own image viewer and movie player which will not interpret data like in your example. Although for images it pretty much supports every invented format, for the video there's the problem with the codecs: too many of them in too many versions.

Although official formats work fine, some new weird codes will not. But given that I get such a file in like 1 of 1000 cases, I see no problem in converting them in a protected mode.

There are many advantages of not depending on operating system files or security in order to view images and play movies...starting with something like windows not spawning its thumbs.db everywhere (since I never use explorer or MP) to linux security issues and exploits that may come with the codecs, mostly non-stream data interpretation.

For the video part, you should find a player that is able to play stream as-is, with the possibility of ignoring all spam/meta information. Using it like that will make you perfectly safe.