claunia/flac
1
0
Fork 0
mirror of https://github.com/claunia/flac.git synced 2025-12-16 18:54:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

src/libFLAC/stream_decoder.c : Fix another input validation bug.

Browse Source 
If a file says it contains a stupidly large number of vorbis comments,
the stream decoder would try to allocate enough memory which would fail
returning NULL and then write to that pointer anyway. The solution is
to set a hard limit of 10000 vorbis comments and force num_comments to
zero if the number is too large.

Problem found using the afl (american fuzzy lop) fuzzer.

Closes: https://sourceforge.net/p/flac/bugs/421/
Reported-by : Hanno Böck <hanno@hboeck.de>
This commit is contained in:
Erik de Castro Lopo
2014-11-28 23:39:25 +11:00
parent 0e11f73eab
commit 43ba7ad05f
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/libFLAC/stream_decoder.c
View File

@@ -1728,6 +1728,11 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
return false; /* read_callback_ sets the state for us */
/* read comments */
if (obj->num_comments > 100000) {
/* Possibly malicious file. */
obj->num_comments = 0;
return false;
}
if (obj->num_comments > 0) {
if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;