[flac-dev] Two new CVEs against FLAC
Erik de Castro Lopo
mle+la at mega-nerd.com
Wed Dec 10 22:54:15 PST 2014
Erik de Castro Lopo wrote:
> I think I have an alternative fix for the CVE which should not break
> seeking. I'm working on getting an copy of the file with which to test.
Patch applied and pushed.
commit b4b2910bdca010808ccf2799f55562fa91f4347b
Author: Erik de Castro Lopo <erikd at mega-nerd.com>
Date: Wed Dec 10 18:54:16 2014 +1100
src/libFLAC/stream_decoder.c : Fix seek bug.
Janne Hyvärinen reported a problem with seeking as a result of the
fix for CVE-2014-9028. This is a different solution to the issue
that should not adversely affect seeking.
This version of the fix for the above CVE has been extensively fuzz
tested using afl (http://lcamtuf.coredump.cx/afl/).
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
More information about the flac-dev
mailing list