[flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo mle+la at mega-nerd.com
Wed Dec 10 22:54:15 PST 2014

Erik de Castro Lopo wrote:

> I think I have an alternative fix for the CVE which should not break
> seeking. I'm working on getting an copy of the file with which to test.

Patch applied and pushed.

    commit b4b2910bdca010808ccf2799f55562fa91f4347b
    Author: Erik de Castro Lopo <erikd at mega-nerd.com>
    Date:   Wed Dec 10 18:54:16 2014 +1100

    src/libFLAC/stream_decoder.c : Fix seek bug.
    Janne Hyvärinen reported a problem with seeking as a result of the
    fix for CVE-2014-9028. This is a different solution to the issue
    that should not adversely affect seeking.
    This version of the fix for the above CVE has been extensively fuzz
    tested using afl (http://lcamtuf.coredump.cx/afl/).
Erik de Castro Lopo

More information about the flac-dev mailing list