adplug is vulnerable to arbitrary code execution. Multiple heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream()
in bmf.cpp
allows an attacker to execute arbitrary code on the host OS.
github.com/adplug/adplug/commit/d7f3a047e42395662ddbec04300ce78bfb40b95c
github.com/adplug/adplug/issues/85
lists.fedoraproject.org/archives/list/[email protected]/message/Q32A64R2APAC5PXIMSYIEFDQX5AD4GAS/
lists.fedoraproject.org/archives/list/[email protected]/message/U3PW6PLDTPSQQRHKTU2FB72SUB4Q66NE/