[vlc-devel] CVE-2019-13602 Heap Based Buffer Overflow Vulnerability

Rémi Denis-Courmont remi at remlab.net
Tue Jul 16 18:37:51 CEST 2019

Le tiistaina 16. heinäkuuta 2019, 19.23.23 EEST Rémi Denis-Courmont a écrit :
> Le tiistaina 16. heinäkuuta 2019, 10.35.12 EEST Francois Cartegnie a écrit :
> > https://www.securityfocus.com/bid/109158/references
> > 
> > So now we create a new CVE for the out of bound access introduced by the
> > CVE fix ?
> You had several weeks to fix this bug better, also plenty of time to comment
> before it was backported (unlike a recent certain commit from a certain
> somebody), and you still have time to fix it before it gets released.

Also smart asses will note that block_Alloc() always adds a margin of 32-bytes 
at the end of the block buffer. So, in general, the worse outcome of a read 
"overflow" of 4 bytes is leakage of memory content. And in this specific case, 
literally nothing will happen other than the code being ugly.


More information about the vlc-devel mailing list