### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It would depend on whether or not they could get the plugin into a state of providing a buffer that is too small. The only relevant input is encoded video frames, so presumably they would need to craft a video decoded by OpenH264 that is able to produce that result from it. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?**: All * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: It should apply cleanly. * **How likely is this patch to cause regressions; how much testing does it need?**: Unlikely. * **Is the patch ready to land after security approval is given?**: Yes * **Is Android affected?**: Yes
Bug 1916476 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It would depend on whether or not they could get the plugin into a state of providing a buffer that is too small. The only relevant input is encoded video frames, so presumably they would need to craft a video decoded by OpenH264 that is able to produce that result from it. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?**: All * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: It should apply cleanly. * **How likely is this patch to cause regressions; how much testing does it need?**: Unlikely. * **Is the patch ready to land after security approval is given?**: Yes * **Is Android affected?**: No