libFLAC/bitwrite.c: Add sanity check to prevent DOS attacktopic/oss-fuzz

When fuzzing the encoder it is possible to cause the encoder to to take 10s of seconds or more encoding relatively short chunks of audio. Adding a sanity check for the number of bits and returning false (indicating memory allocation failed) prevents this and seems to have no effect in the encoding of non-fuzzing inputs. Credit: Oss-Fuzz Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17319 Testcase: fuzzer_encoder-5639344026550272
author: Erik de Castro Lopo <erikd@mega-nerd.com> 2019-10-07 17:58:57 +1100
committer: Erik de Castro Lopo <erikd@mega-nerd.com> 2019-10-10 18:34:17 +1100
commit: 4f2115f41f38598173d0d01d08b7dfb1f2a5fa94 (patch)
tree: 58abedd0862f54135d72a2e604a16e4b88a1db6c
parent: 86431a66dcd2fa270b10b7c8421003cb82484cc9 (diff)
download: flac-topic/oss-fuzz.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
index ed7ae0e8..95d4998c 100644
--- a/src/libFLAC/bitwriter.c
+++ b/src/libFLAC/bitwriter.c
@@ -567,6 +567,10 @@ FLAC__bool FLAC__bitwriter_write_rice_signed_block(FLAC__BitWriter *bw, const FL
 		msbits = uval >> parameter;
 		total_bits = lsbits + msbits;
 
+		/* sanity check */
+		if (total_bits > 8 * 8196)
+			return false;
+
 		if(bw->bits && bw->bits + total_bits < FLAC__BITS_PER_WORD) { /* i.e. if the whole thing fits in the current bwword */
 			/* ^^^ if bw->bits is 0 then we may have filled the buffer and have no free bwword to work in */
 			bw->bits += total_bits;
author	Erik de Castro Lopo <erikd@mega-nerd.com>	2019-10-07 17:58:57 +1100
committer	Erik de Castro Lopo <erikd@mega-nerd.com>	2019-10-10 18:34:17 +1100
commit	4f2115f41f38598173d0d01d08b7dfb1f2a5fa94 (patch)
tree	58abedd0862f54135d72a2e604a16e4b88a1db6c
parent	86431a66dcd2fa270b10b7c8421003cb82484cc9 (diff)
download	flac-topic/oss-fuzz.tar.gz