extend comment for libstb

1 files changed, 6 insertions, 3 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 527c74ebb1..21981bd615 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4507,17 +4507,20 @@ CVE-2022-25517
 CVE-2022-25516 (stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow  ...)
 	- libstb <unfixed> (unimportant)
 	NOTE: https://github.com/nothings/stb/issues/1287
-	NOTE: The stb_truetype API does not know the length of the input font file and therefore
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
+	NOTE: Also, the stb_truetype API does not know the length of the input font file and therefore
 	NOTE: cannot bounds check it.
 CVE-2022-25515 (stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow  ...)
 	- libstb <unfixed> (unimportant)
 	NOTE: https://github.com/nothings/stb/issues/1288
-	NOTE: The stb_truetype API does not know the length of the input font file and therefore
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
+	NOTE: Also, the stb_truetype API does not know the length of the input font file and therefore
 	NOTE: cannot bounds check it.
 CVE-2022-25514 (stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow  ...)
 	- libstb <unfixed> (unimportant)
 	NOTE: https://github.com/nothings/stb/issues/1286
-	NOTE: The stb_truetype API does not know the length of the input font file and therefore
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
+	NOTE: Also, the stb_truetype API does not know the length of the input font file and therefore
 	NOTE: cannot bounds check it.
 CVE-2022-25513
 	RESERVED