search for: a9eb99a5bd6f

...we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, test...

...e believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f. Both of these changes are included in the libvorbis 1.3.7 release, posted today. This upstream release addresses all the CVE issues I'm aware of. Hopefully that addresses your needs. Thanks for your patience while we prepared this release, and thanks to everyone who contributed patches, test...

Hi Ralph, Thank you for your reply! For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis). We first determine if the CVE is something that would impact our customer workflows. In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible. In the