[flac-dev] Two new CVEs against FLAC

Miroslav Lichvar mlichvar at redhat.com
Tue Dec 9 23:23:07 PST 2014

On Tue, Dec 09, 2014 at 11:33:39AM -0800, Erik de Castro Lopo wrote:
> Janne Hyvärinen wrote:
> > I think it would be better to let the decoder 
> > continue its work when possible and perform input validation where it's 
> > relevant.
> I also completely agree with this.
> I will take a look at these CVE fixes over the next couple of days.
> Feel free to ping me if you don't hear anythng by early next week.

I think the CVE fixes are good, even if there were no security
implications. A function that reads residuals can't return success if
it didn't read any residuals.

If it breaks seeking, it means there is a bug somewhere else. A
reproducer would be useful.

Miroslav Lichvar

More information about the flac-dev mailing list