diff options
| author | Martijn van Beurden <mvanb1@gmail.com> | 2021-12-22 21:17:14 +0100 |
|---|---|---|
| committer | Ralph Giles <giles@thaumas.net> | 2022-02-08 20:49:13 -0800 |
| commit | 2f209573d0f582385baa00cae45dcf10d50d96c4 (patch) | |
| tree | 563e27d1d78d79107d031541e482687d27250814 | |
| parent | d4a72210467a526bab82fa0959ee8b2180acaebf (diff) | |
| download | flac-2f209573d0f582385baa00cae45dcf10d50d96c4.tar.gz | |
Check for predictor order <= blocksize in subframe header
Credit: Oss-Fuzz
Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38347
Signed-off-by: Ralph Giles <giles@thaumas.net>
| -rw-r--r-- | src/libFLAC/stream_decoder.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index 143229bb..f1fa8842 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -2528,13 +2528,19 @@ FLAC__bool read_subframe_(FLAC__StreamDecoder *decoder, uint32_t channel, uint32 return true; } else if(x <= 24) { + uint32_t predictor_order = (x>>1)&7; if(decoder->private_->frame.header.bits_per_sample > 24){ /* Decoder isn't equipped for fixed subframes with more than 24 bps */ send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_UNPARSEABLE_STREAM); decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; return true; } - if(!read_subframe_fixed_(decoder, channel, bps, (x>>1)&7, do_full_decode)) + if(decoder->private_->frame.header.blocksize <= predictor_order){ + send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); + decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; + return true; + } + if(!read_subframe_fixed_(decoder, channel, bps, predictor_order, do_full_decode)) return false; if(decoder->protected_->state == FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC) /* means bad sync or got corruption */ return true; @@ -2545,7 +2551,13 @@ FLAC__bool read_subframe_(FLAC__StreamDecoder *decoder, uint32_t channel, uint32 return true; } else { - if(!read_subframe_lpc_(decoder, channel, bps, ((x>>1)&31)+1, do_full_decode)) + uint32_t predictor_order = ((x>>1)&31)+1; + if(decoder->private_->frame.header.blocksize <= predictor_order){ + send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); + decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; + return true; + } + if(!read_subframe_lpc_(decoder, channel, bps, predictor_order, do_full_decode)) return false; if(decoder->protected_->state == FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC) /* means bad sync or got corruption */ return true; |