[flac-dev] Two new CVEs against FLAC
Erik de Castro Lopo
mle+la at mega-nerd.com
Tue Dec 9 11:33:39 PST 2014
Janne Hyvärinen wrote:
> In general I'm against patches that error out at the first sign of
> corruption instead of gracefully handling the situation and continuing
> from the next good bytes.
I put the need for secure un-exploitable code at the top of my list
for any code which operates on data from un-trusted sources. Sorry,
that's not negotiable :-).
> I think it would be better to let the decoder
> continue its work when possible and perform input validation where it's
> relevant.
I also completely agree with this.
I will take a look at these CVE fixes over the next couple of days.
Feel free to ping me if you don't hear anythng by early next week.
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
More information about the flac-dev
mailing list