speex
Page content
- Vulnerable: 1.2beta3-1
- Unaffected: 1.2beta3-2kalgan1
The reference speex decoder from the Speex library is performing insufficient boundary checks on a header structure read from user input. A user controlled field in the header structure is used to build a function pointer. The reference speex decoder does not check for negative values for the field, allowing the function pointer to be pointed at an arbitary position in memory. This allows remote code execution.
- Bug Tracker URL: http://bugs.frugalware.org/task/3023