Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

[Michal Zalewski <lcamtuf () coredump cx>]

> It's hard to see a security issue here

I'm not sure this applies here, but the use of uninitialized memory
can be an issue when, say, a website calls your code to convert
user-controlled audio (e.g., to optimize it for streaming). For
libraries, this could leak some information about the audio converted
for other users, possibly revealing it to the attacker. For one-shot
conversions with a command-line tool, this is unlikely, but the
uninitialized memory could still end up leaking some system-specific
secrets (e.g., ASLR memory layout, credentials, etc).

Not that this is necessarily a risk here; depends on how much memory
is accessed, what happens with it later on, whether anyone is even
using the library / tool this way, whether doing so is sane in the
first place, etc.

/mz