[opus] Opus 1.1.4 released

Jean-Marc Valin jmvalin at jmvalin.ca
Fri Jan 20 21:42:38 UTC 2017


Hi,

We just released Opus 1.1.4, which fixes a single bug. A
specially-crafted Opus packet could cause an integer wrap-around in the
SILK LSF stabilization code. This would cause an out-of-bounds read 256
bytes before a constant table. In most circumstances, the consequences
are harmless and the result is simply noise in the audio.

This was reported as CVE-2017-0381 [1]. Contrary to that report, our own
analysis [2] shows that no remote code execution is possible. However,
we are making this release as a precaution. As usual, you can get it
from the Opus website at: https://www.opus-codec.org/

Cheers,

	Jean-Marc

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381
[2]
https://git.xiph.org/?p=opus.git;a=commit;h=70a3d641b760b3d313b6025f82aed93a460720e5


More information about the opus mailing list