[vlc-devel] Bug#622091: libmodplug ReadS3M stack overflow
Juha Jeronen
juha.jeronen at jyu.fi
Mon Apr 11 11:38:21 CEST 2011
On 04/10/2011 09:21 PM, Martin Storsjö wrote:
> On Sun, 10 Apr 2011, Rémi Denis-Courmont wrote:
>
>> Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit :
>>> * Remi Denis-Courmont <remi at remlab.net> [2011-04-10 09:36]:
>>>> An exploitable memory corruption vulnerability has been publicized
>>>> against libmodplug 0.8.8.1:
>>>> http://seclists.org/fulldisclosure/2011/Apr/113
>>>>
>>>> Upstream version 0.8.8.2 fixes the issue.
>>> How important is this library for vlc and others from an end-user
>>> perspective? The code doesn't look like it was written with security in
>>> mind and I guess it's only a matter of time for new issues to popup for
>>> this lib.
>> I have not looked at the code. I believe it's the only way to decode trackers
>> in VLC (and possibly other media frameworks) at the moment. I do not know any
>> alternative OSS library for tracker decoding.
I agree that it's very important if one wants to listen to tracker music.
> Ages ago, (lib)mikmod was quite popular, but a quick google shows that it
> doesn't seem all too maintained these days, and iirc modplug sounded
> better.
I'd forgotten about libmikmod :)
Yeah, Modplug is probably the better-sounding one. I used to compose
tracker music, and Modplug was the only one that rendered .IT (Impulse
Tracker) almost correctly ;)
-J
More information about the vlc-devel
mailing list