Janne Hyvärinen wrote: > In general I'm against patches that error out at the first sign of > corruption instead of gracefully handling the situation and continuing > from the next good bytes.
I put the need for secure un-exploitable code at the top of my list for any code which operates on data from un-trusted sources. Sorry, that's not negotiable :-). > I think it would be better to let the decoder > continue its work when possible and perform input validation where it's > relevant. I also completely agree with this. I will take a look at these CVE fixes over the next couple of days. Feel free to ping me if you don't hear anythng by early next week. Cheers, Erik -- ---------------------------------------------------------------------- Erik de Castro Lopo http://www.mega-nerd.com/ _______________________________________________ flac-dev mailing list flac-dev@xiph.org http://lists.xiph.org/mailman/listinfo/flac-dev
