Integer underflow in the Huffman decoding functionality (pvmp3_huffman_parsing.cpp) in OpenCORE 2.0 and earlier allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a crafted MP3 file that triggers heap corruption.
The OpenCORE multimedia decoding subsystem suffers from an insufficient bounds checking vulnerability during MP3 decoding. Versions 2.0 and below are affected.