[vlc-devel] CVE-2019-13602 Heap Based Buffer Overflow Vulnerability
Rémi Denis-Courmont
remi at remlab.net
Tue Jul 16 18:37:51 CEST 2019
Le tiistaina 16. heinäkuuta 2019, 19.23.23 EEST Rémi Denis-Courmont a écrit :
> Le tiistaina 16. heinäkuuta 2019, 10.35.12 EEST Francois Cartegnie a écrit :
> > https://www.securityfocus.com/bid/109158/references
> >
> > So now we create a new CVE for the out of bound access introduced by the
> > CVE fix ?
>
> You had several weeks to fix this bug better, also plenty of time to comment
> before it was backported (unlike a recent certain commit from a certain
> somebody), and you still have time to fix it before it gets released.
Also smart asses will note that block_Alloc() always adds a margin of 32-bytes
at the end of the block buffer. So, in general, the worse outcome of a read
"overflow" of 4 bytes is leakage of memory content. And in this specific case,
literally nothing will happen other than the code being ugly.
--
雷米‧德尼-库尔蒙
http://www.remlab.net/
More information about the vlc-devel
mailing list