Re: [flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo Wed, 10 Dec 2014 22:54:45 -0800

Erik de Castro Lopo wrote:

> I think I have an alternative fix for the CVE which should not break
> seeking. I'm working on getting an copy of the file with which to test.


Patch applied and pushed.

    commit b4b2910bdca010808ccf2799f55562fa91f4347b
    Author: Erik de Castro Lopo <er...@mega-nerd.com>
    Date:   Wed Dec 10 18:54:16 2014 +1100

    src/libFLAC/stream_decoder.c : Fix seek bug.
    
    Janne Hyvärinen reported a problem with seeking as a result of the
    fix for CVE-2014-9028. This is a different solution to the issue
    that should not adversely affect seeking.
    
    This version of the fix for the above CVE has been extensively fuzz
    tested using afl (http://lcamtuf.coredump.cx/afl/).
    
Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
_______________________________________________
flac-dev mailing list
flac-dev@xiph.org
http://lists.xiph.org/mailman/listinfo/flac-dev

Re: [flac-dev] Two new CVEs against FLAC

Reply via email to