[Speex-dev] 答复: Security question 请秦卓转发如下邮件给speex开发团队

qinzhuo (C) qinzhuo2 at huawei.com
Mon Jul 2 13:53:06 UTC 2018

In the using the speex software, we found that the "speex_alloc" of the code did not check whether the memory was allocated and used it directly. Is there a security risk? Is there a solution for this?

For example(Attached code screenshot):
speex-1.2rc1: sb_celp.c  Line From 242 to 251.  (in function sb_encoder_init)

发件人: Jean-Marc Valin [mailto:jmvalin at jmvalin.ca]
发送时间: 2018年3月20日 6:46
收件人: qinzhuo (C) <qinzhuo2 at huawei.com>; speex-dev at xiph.org
抄送: Gaozhendong <gaozhendong at hisilicon.com>; Zhangxiaolong (C) <xl.zhang at hisilicon.com>
主题: Re: [Speex-dev] hello speex官网

On 02/27/2018 10:03 AM, qinzhuo (C) wrote:
> Learned from the official website, Speex replaced by opus. We want to 
> confirm whether Speex can continue to use? If there is a significant 
> security risk or vulnerability, will the official website update Speex 
> software?

You can absolutely continue to use Speex for as long as you want. Given that Opus is much better than Speex, it makes little sense to develop new products based on Speex, but for things that already use Speex, it often makes sense to keep it. Although we have stopped improving it, it is still being maintained. We are not aware of any security vulnerability in the current version, but should we become aware of one, we would promptly fix it and make a new release.



More information about the Speex-dev mailing list