@154219fe
I think C has little to do with it, the biggest problem is that while it's being considered "an open standard" by many, it's not that — there is only one major implementation and it's Google's own implementation, others have little to no interest contributing to it as it will remain Google's implementation in any case.
So having sole implementation that is used, in addition to obviously very popular Chrome itself, it's used by a lot of software. If that software has anything even remotely to do with images — why don't we add WebP support, right? So in addition to all the browsers, this shit is now everywhere.
Why the fuck down ffmpeg in my system depends of libwebp? I don't know. Does anyone of you use WebP for any other purposes except for posting it on the Web? I don't and I doubt that anyone does — it's advantages over existing formats is negligible for personal use, but it still makes sense for Google as they serve petabytes of data and even 10% makes a huge difference.
I might have digressed, but anyway — as it is used in software that is present virtually in every system and in addition to that, it's the same implementation, it makes libwebp a very attractive target for attacks. Monoculture is never good. These sole implementtion is closely studied by those, who intend to exploit it — this is where C factor might come into play.
Another problem is that Google doesn't give a fuck about how and where their library is used. Because they only care about how it's being used in Chrome — Chrome offers some means of isolation, if one tab gets compromised, others are safe. And to me it looks like that is exactly what they think: "Oh, it's not that bad, it's isolated!" And that is true, and same is true for Android. But is it isolated in ImageMagic — no, it's not. And when this vulnerability has hit the news, that is exactly what one person came up with in comments on HackerNews: let's isolate/containerize it for ffmpeg and ImageMagic too. That's insane! Nowadays it's assumed that everything is isolated/containerized — but in reality it's not. And it shouldn't be!
@buy robux today :ROBUX: @pistolero @surk...