Two Vulnerabilities to be Found at SDL

Two of six serious vulnerabilities in this cross-platform multimedia library create conditions for remote code execution.
04 July 2019   1796

The SDL (Simple Direct Layer) library set, which provides tools for hardware accelerated 2D and 3D graphics rendering, input processing, audio playback, 3D output via OpenGL / OpenGL ES, and many other related operations, revealed 6 vulnerabilities. Including in the SDL2_image library, two problems have been discovered that allow organizing remote code execution in the system. Attacks can be made on applications that use SDL to load images.

Both vulnerabilities (CVE-2019-5051, CVE-2019-5051) are present in the IMG_LoadPCX_RW function and are caused by the lack of the necessary error handler and integer overflow that can be exploited through the transfer of a specially crafted PCX file. Issues have already been fixed in the SDL_image 2.0.5 release. Information about the remaining 4 vulnerabilities has not yet been disclosed.

Vulnerabilities were found by Talos, so you can find more info at their website.

QuickJS to be Updated

This is anĀ engine the supports the ES2019 specification and additional mathematical extensions, such as the BigInt and BigFloat types
23 January 2020   162

French mathematician Fabrice Bellard, who once founded the QEMU and FFmpeg projects, has published an update to the QuickJS compact embedded JavaScript engine he is developing. The engine supports the ES2019 specification and additional mathematical extensions, such as the BigInt and BigFloat types. In performance, QuickJS is noticeably superior to its existing counterparts (XS by 35%, DukTape more than twice, JerryScript three times, and MuJS seven times). The project offers a library for embedding the engine, a qjs interpreter for running JavaScript code from the command line, and a qjsc compiler for generating self-contained executable files. The code is written in C and distributed under the MIT license. More details about the project can be found in the text of the announcement of the first issue.

The new version adds experimental support of the BigDecimal type, which allows you to manipulate decimal numbers with arbitrary precision (analogue of BigInt for numbers with base 10). Updated implementation of operator overloading. Added examples of programs for effectively calculating the Pi number up to a billion decimal places (as a mathematician, Fabrice Bellar is known as the creator of the fastest formula for calculating the Pi number).

Get more at the official website of the author.