Right, this is why video parse / decode ought to be sandboxed. Writing secure code for these formats, especially in C, is really hard. I just sort of glanced at the bug in the repo, but it sounds plausible. It certainly wouldn’t be the first of its kind.

> I mean, that's how people get hacked.

...when was the last documented case of an in-the-wild hack targeting VNC?