Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Nov 2020 21:34:16 -0800
From: Ian Zimmerman <>
Subject: Re: libass ass_outline.c signed integer overflow

On 2020-09-29 08:19, Fstark wrote:

> In `ass_outline_construct`'s call to `outline_stroke` a signed integer
> overflow happens *(undefined behaviour)*. On my machine signed overflow
> happens to wrap around to a negative value, thus failing the assert.

I have followed the links above, and this seems to be an example of a
situation where the CVE process has failed. It is still not fixed in
Debian, possibly for that reason. I'll report a Debian bug today.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.