flac/metaflac: Limit the size of metadata blocks

Limit allow image file size to slightly less than 2^24 bytes so that the file size plus extra house keeping data is strictly less that 2^24 bytes in size. Patch-from: lvqcl <lvqcl.mail@gmail.com>
2025-12-16 18:54:26 +00:00 · 2016-05-01 20:30:37 +10:00
parent cf0a6ec709
commit 516a7ad4d9
2 changed files with 4 additions and 4 deletions
--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
@@ -1799,9 +1799,6 @@ FLAC_API FLAC__bool FLAC__metadata_object_picture_set_data(FLAC__StreamMetadata
 	FLAC__ASSERT(object->type == FLAC__METADATA_TYPE_PICTURE);
 	FLAC__ASSERT((0 != data && length > 0) || (0 == data && length == 0 && copy == false));

-	if(length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
-		return false;
-
 	old = object->data.picture.data;

 	/* do the copy first so that if we fail we leave the object untouched */
--- a/src/share/grabbag/picture.c
+++ b/src/share/grabbag/picture.c
@@ -287,7 +287,7 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
 	if (size < 0)
 		return error_messages[5];

-	if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
+	if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN)) /* actual limit is less because of other fields in the PICTURE metadata block */
 		return error_messages[11];

 	if ((buffer = safe_malloc_(size)) == NULL)
@@ -313,6 +313,9 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
 	/* try to extract resolution/color info if user left it blank */
 	else if ((obj->data.picture.width == 0 || obj->data.picture.height == 0 || obj->data.picture.depth == 0) && !local__extract_resolution_color_info_(&obj->data.picture))
 		error_message = error_messages[4];
+	/* check metadata block size */
+	else if (obj->length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
+		error_message = error_messages[11];

 	return error_message;
 }