[vlc-devel] Bug#622091: libmodplug ReadS3M stack overflow
Martin Storsjö
martin at martin.st
Sun Apr 10 20:21:37 CEST 2011
On Sun, 10 Apr 2011, Rémi Denis-Courmont wrote:
> Hello,
>
> Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
> > * Remi Denis-Courmont <remi at remlab.net> [2011-04-10 09:36]:
> > > An exploitable memory corruption vulnerability has been publicized
> > > against libmodplug 0.8.8.1:
> > > http://seclists.org/fulldisclosure/2011/Apr/113
> > >
> > > Upstream version 0.8.8.2 fixes the issue.
> >
> > How important is this library for vlc and others from an end-user
> > perspective? The code doesn't look like it was written with security in
> > mind and I guess it's only a matter of time for new issues to popup for
> > this lib.
>
> I have not looked at the code. I believe it's the only way to decode trackers
> in VLC (and possibly other media frameworks) at the moment. I do not know any
> alternative OSS library for tracker decoding.
Ages ago, (lib)mikmod was quite popular, but a quick google shows that it
doesn't seem all too maintained these days, and iirc modplug sounded
better.
// Martin
More information about the vlc-devel
mailing list