[flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo mle+la at mega-nerd.com
Tue Dec 9 11:33:39 PST 2014

Janne Hyvärinen wrote:

> In general I'm against patches that error out at the first sign of 
> corruption instead of gracefully handling the situation and continuing 
> from the next good bytes.

I put the need for secure un-exploitable code at the top of my list 
for any code which operates on data from un-trusted sources. Sorry,
that's not negotiable :-).

> I think it would be better to let the decoder 
> continue its work when possible and perform input validation where it's 
> relevant.

I also completely agree with this.

I will take a look at these CVE fixes over the next couple of days.
Feel free to ping me if you don't hear anythng by early next week.

Erik de Castro Lopo

More information about the flac-dev mailing list