[flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo mle+la at mega-nerd.com
Tue Dec 9 11:33:39 PST 2014


Janne Hyvärinen wrote:

> In general I'm against patches that error out at the first sign of 
> corruption instead of gracefully handling the situation and continuing 
> from the next good bytes.

I put the need for secure un-exploitable code at the top of my list 
for any code which operates on data from un-trusted sources. Sorry,
that's not negotiable :-).

> I think it would be better to let the decoder 
> continue its work when possible and perform input validation where it's 
> relevant.

I also completely agree with this.

I will take a look at these CVE fixes over the next couple of days.
Feel free to ping me if you don't hear anythng by early next week.

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/


More information about the flac-dev mailing list