oss-sec mailing list archives

Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

From: Agostino Sarubbo <ago () gentoo org>
Date: Mon, 10 Jul 2017 12:34:36 +0200

All the info were updated.


On Monday 10 July 2017 11:42:53 Dr. Thomas Orgis wrote:

Is this really worth a CVE, though? So far I was only able to see a
crash triggered by the AddressSanitizer.


Often, when there is an out-of-bound condition there is no crash, and the 
application works as expected. It is only visible with debuggers or in case of 
stack overflow with fortify_source enabled, so I think it's an expected 
behaviour.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Current thread:

mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 10)
  - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
  - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Seth Arnold (Jul 10)
    - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
  - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Michal Zalewski (Jul 10)
    - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
    - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)
    - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Jonas Thiem (Jul 11)
    - Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)