[vlc-devel] Bug#622091: libmodplug ReadS3M stack overflow

Martin Storsjö martin at martin.st
Sun Apr 10 20:21:37 CEST 2011


On Sun, 10 Apr 2011, Rémi Denis-Courmont wrote:

> 	Hello,
> 
> Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
> > * Remi Denis-Courmont <remi at remlab.net> [2011-04-10 09:36]:
> > > An exploitable memory corruption vulnerability has been publicized
> > > against libmodplug 0.8.8.1:
> > > http://seclists.org/fulldisclosure/2011/Apr/113
> > > 
> > > Upstream version 0.8.8.2 fixes the issue.
> > 
> > How important is this library for vlc and others from an end-user
> > perspective? The code doesn't look like it was written with security in
> > mind and I guess it's only a matter of time for new issues to popup for
> > this lib.
> 
> I have not looked at the code. I believe it's the only way to decode trackers 
> in VLC (and possibly other media frameworks) at the moment. I do not know any 
> alternative OSS library for tracker decoding.

Ages ago, (lib)mikmod was quite popular, but a quick google shows that it 
doesn't seem all too maintained these days, and iirc modplug sounded 
better.

// Martin


More information about the vlc-devel mailing list