The OpenMPT/libopenmpt project released the latest stable libopenmpt version:

libopenmpt 0.4.9 (2019-10-02)

  • [Sec] libmodplug: C API: Limit the length of strings copied to the output buffer of ModPlug_InstrumentName() and ModPlug_SampleName() to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12129) (CVE-2019-17113)
  • [Sec] libmodplug: C++ API: Do not return 0 in CSoundFile::GetSampleName() and CSoundFile::GetInstrumentName() when a null output pointer is provided. This behaviour differed from libmodplug and made it impossible to determine the required buffer size. (r12130)

The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .

Source code download links:

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.


The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.3 stable branch:

libopenmpt 0.3.19 (2019-10-02)

  • [Sec] libmodplug: C API: Limit the length of strings copied to the output buffer of ModPlug_InstrumentName() and ModPlug_SampleName() to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12131) (CVE-2019-17113)
  • [Sec] libmodplug: C++ API: Do not return 0 in CSoundFile::GetSampleName() and CSoundFile::GetInstrumentName() when a null output pointer is provided. This behaviour differed from libmodplug and made it impossible to determine the required buffer size. (r12132)

Source code download links:

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.


The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.2 stable branch:

libopenmpt 0.2.12147-beta41 (2019-10-02)

  • [Sec] libmodplug: C API: Limit the length of strings copied to the output buffer of ModPlug_InstrumentName() and ModPlug_SampleName() to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12133) (CVE-2019-17113)

Source code download links:


The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:

libopenmpt-0.2.7561-beta20.5-p14 (2019-10-02)

  • [Sec] libmodplug: C API: Limit the length of strings copied to the output buffer of ModPlug_InstrumentName() and ModPlug_SampleName() to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12150) (CVE-2019-17113)

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7561-beta20.5 source release):

libopenmpt-0.2.7386-beta20.3-p17 (2019-10-02)

  • [Sec] libmodplug: C API: Limit the length of strings copied to the output buffer of ModPlug_InstrumentName() and ModPlug_SampleName() to 32 bytes (including terminating null) as is done by original libmodplug. This avoids potential buffer overflows in software relying on this limit instead of querying the required buffer size beforehand. libopenmpt can return strings longer than 32 bytes here beacuse the internal limit of 32 bytes applies to strings encoded in arbitrary character encodings but the API returns them converted to UTF-8, which can be longer. (reported by Antonio Morales Maldonado of Semmle Security Research Team) (r12151) (CVE-2019-17113)

The following individual patches fix the mentioned issues (these patches must all be applied sequentially on top of the original libopenmpt-0.2.7386-beta20.3 source release):


The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:

  • 0.4.9
    • Current stable version.
    • Receives security updates.
    • Receives minor playback fixes.
  • 0.3.19
    • Old stable version.
    • Receives security updates.
    • Receives trivial bug fixes.
  • 0.2.12147-beta41
    • Old stable version.
    • Receives security updates.
    • Receives trivial bug fixes.
  • 0.2.7561-beta20.5-p14
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.2.7386-beta20.3-p17
    • Older stable version which is supported on Unix-like systems only.
    • Receives only security fixes.
  • 0.5 (SVN trunk)
    • development
    • security updates
    • playback fixes
    • new features
    • new file formats

Please update to the newest versions.