On 11/08/17 19:07, Sebastian Andrzej Siewior wrote:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6419
Stuart, is this enough information or do you need more?
I'm interested in how the fix is to add a check to see if window_posn+this_run wraps the window, immediately below a comment that expressly states that won't happen, with the reasoning: this_run has already been clamped to ensure it does not wrap a frame, and frames don't wrap windows.

If this is incorrect reasoning, what part of the reasoning is wrong? Is this_run somehow not being clamped to <=FRAME_SIZE through some code path? If so, the fix is to clamp it. Is window size not a multiple of frame size? If so, something is very wrong.

I'd be interested in seeing an example file that gets to this condition.

Also, if ClamAV made a change five months ago, and they're confident it's a bug in libmspack.... why am I only finding out today?


Reply via email to