[flac-dev] Two new CVEs against FLAC
Miroslav Lichvar
mlichvar at redhat.com
Tue Dec 9 23:23:07 PST 2014
On Tue, Dec 09, 2014 at 11:33:39AM -0800, Erik de Castro Lopo wrote:
> Janne Hyvärinen wrote:
> > I think it would be better to let the decoder
> > continue its work when possible and perform input validation where it's
> > relevant.
>
> I also completely agree with this.
>
> I will take a look at these CVE fixes over the next couple of days.
> Feel free to ping me if you don't hear anythng by early next week.
I think the CVE fixes are good, even if there were no security
implications. A function that reads residuals can't return success if
it didn't read any residuals.
If it breaks seeking, it means there is a bug somewhere else. A
reproducer would be useful.
--
Miroslav Lichvar
More information about the flac-dev
mailing list