[opus] Opus 1.1.4 released

Jean-Marc Valin jmvalin at jmvalin.ca
Fri Jan 20 21:42:38 UTC 2017


We just released Opus 1.1.4, which fixes a single bug. A
specially-crafted Opus packet could cause an integer wrap-around in the
SILK LSF stabilization code. This would cause an out-of-bounds read 256
bytes before a constant table. In most circumstances, the consequences
are harmless and the result is simply noise in the audio.

This was reported as CVE-2017-0381 [1]. Contrary to that report, our own
analysis [2] shows that no remote code execution is possible. However,
we are making this release as a precaution. As usual, you can get it
from the Opus website at: https://www.opus-codec.org/



[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381

More information about the opus mailing list