diff options
| author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-11-19 19:35:59 -0800 |
|---|---|---|
| committer | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-11-25 13:03:55 +1100 |
| commit | fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 (patch) | |
| tree | 86599c12e2ee8b50fe5b3ab98ea1d12329180e05 | |
| parent | 288edbb3a16b3b857508e2f70d0fb43091f2858f (diff) | |
| download | flac-fcf0ba06ae12ccd7c67cee3c8d948df15f946b85.tar.gz | |
src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow.
A file provided by the reporters caused the stream decoder to write to
un-allocated heap space resulting in a segfault. The solution is to
error out (by returning false from read_residual_partitioned_rice_())
instead of trying to continue to decode.
Fixes: CVE-2014-9028
Reported-by: Michele Spagnuolo,
Google Security Team <mikispag@google.com>
| -rw-r--r-- | src/libFLAC/stream_decoder.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index 88a656d1..54e84d4f 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -2736,7 +2736,8 @@ FLAC__bool read_residual_partitioned_rice_(FLAC__StreamDecoder *decoder, unsigne if(decoder->private_->frame.header.blocksize < predictor_order) { send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; - return true; + /* We have received a potentially malicious bt stream. All we can do is error out to avoid a heap overflow. */ + return false; } } else { |