[flac-dev] Two new CVEs against FLAC

lvqcl lvqcl.mail at gmail.com
Thu Dec 11 07:31:25 PST 2014


Martijn van Beurden wrote:

> For example, it could be checked whether the sample
> rate, blocksize, number of channels and sample size in the frame
> header match with those in the stream info, and whether the
> sample or framenumber is in a sane range. This gives less
> security than fully decoding the frame, but it ensures the seek
> process will no longer fail because of these CVE sanity checks.


IIRC flake encoder is able to create FLAC files with variable blocksizes.
So it's better to assume that blocksize is not constant.


More information about the flac-dev mailing list