<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: libass ass_outline.c signed integer overflow
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Thu, 19 Nov 2020 19:51:04 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Thu, Nov 19, 2020 at 11:54:07AM -0500, David A. Wheeler wrote:
In `ass_outline_construct`'s call to `outline_stroke` a signed integer
overflow happens *(undefined behaviour)*. On my machine signed overflow
happens to wrap around to a negative value, thus failing the assert.
https://github.com/libass/libass/issues/431
https://github.com/libass/libass/pull/432
I have followed the links above, and this seems to be an example of a
situation where the CVE process has failed. It is still not fixed in
Debian, possibly for that reason. I'll report a Debian bug today.
I read through the issue discussion. As best as I can tell, no one filed for a CVE, so there was no CVE.
Did I misunderstand something?
If my understanding is correct, that is *NOT* a failure of the CVE process.
Yes, everything worked as designed here. This is CVE-2020-26682
Cheers,
Moritz
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: libass ass_outline.c signed integer overflow Ian Zimmerman (Nov 18)
Re: libass ass_outline.c signed integer overflow David A. Wheeler (Nov 19)
Re: libass ass_outline.c signed integer overflow Moritz Mühlenhoff (Nov 19)
Re: libass ass_outline.c signed integer overflow Ian Zimmerman (Nov 19)
Re: Re: libass ass_outline.c signed integer overflow Salvatore Bonaccorso (Nov 19)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->