While going on the faad2 homepage, I found this:
Security patch Earlier today I was notified of a possible security flaw in the command line frontend for FAAD2, on a specially constructed file the frontend can cause a heap overflow when reading from a buffer returned by the decoder library. A patch can be found here. Note that this only affects the frontend, not the library. Many thanks to ICST-ERCIS (Peking University) for reporting this issue.
I don't have more info; I think I could just apply the patch in a new revision. Do you have more information about this (like the impact, a POC, etc.)?
Created attachment 166174 [details, diff]
Make the thing apply cleanly.
+*faad2-2.6.1-r2 (23 Sep 2008)
+ 23 Sep 2008; Peter Alfredsen <email@example.com>
+ +files/faad2-2.6.1-main-overflow.patch, +faad2-2.6.1-r2.ebuild:
+ Security bump w/ patch from bug 238445
Arches, please test and mark stable media-libs/faad2-2.6.1-r2. Target keywords: "alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~x86-fbsd"
Stable for HPPA.
Sparc stable for -2.6.1-r2.
Heap-based buffer overflow in the decodeMP4file function
(frontend/main.c) in FAAD2 before 2.6.1 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via a crafted MPEG-4 (MP4) file.
GLSA request filed.
GLSA 200811-03, thanks everyone, sorry about the delay.