[vlc-devel] Bug#622091: libmodplug ReadS3M stack overflow
Rémi Denis-Courmont
remi at remlab.net
Sun Apr 10 17:48:32 CEST 2011
Hello,
Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
> * Remi Denis-Courmont <remi at remlab.net> [2011-04-10 09:36]:
> > An exploitable memory corruption vulnerability has been publicized
> > against libmodplug 0.8.8.1:
> > http://seclists.org/fulldisclosure/2011/Apr/113
> >
> > Upstream version 0.8.8.2 fixes the issue.
>
> How important is this library for vlc and others from an end-user
> perspective? The code doesn't look like it was written with security in
> mind and I guess it's only a matter of time for new issues to popup for
> this lib.
I have not looked at the code. I believe it's the only way to decode trackers
in VLC (and possibly other media frameworks) at the moment. I do not know any
alternative OSS library for tracker decoding.
Except for an alternative library, or for Chrome-style process separation, I
think there is not much of a solution to that "problem". (Process separation
would ruin performances, would not be portable, and would require man-years of
development and big money.)
--
Rémi Denis-Courmont
http://www.remlab.info/
http://fi.linkedin.com/in/remidenis
More information about the vlc-devel
mailing list