Date: Wed, 18 Nov 2020 21:34:16 -0800 From: Ian Zimmerman <itz@...y.loosely.org> To: oss-security@...ts.openwall.com Subject: Re: libass ass_outline.c signed integer overflow On 2020-09-29 08:19, Fstark wrote: > In `ass_outline_construct`'s call to `outline_stroke` a signed integer > overflow happens *(undefined behaviour)*. On my machine signed overflow > happens to wrap around to a negative value, thus failing the assert. > https://github.com/libass/libass/issues/431 > > https://github.com/libass/libass/pull/432 I have followed the links above, and this seems to be an example of a situation where the CVE process has failed. It is still not fixed in Debian, possibly for that reason. I'll report a Debian bug today. -- Ian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.