diff options
author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2019-10-07 17:58:57 +1100 |
---|---|---|
committer | Erik de Castro Lopo <erikd@mega-nerd.com> | 2019-10-10 18:34:17 +1100 |
commit | 4f2115f41f38598173d0d01d08b7dfb1f2a5fa94 (patch) | |
tree | 58abedd0862f54135d72a2e604a16e4b88a1db6c | |
parent | 86431a66dcd2fa270b10b7c8421003cb82484cc9 (diff) | |
download | flac-topic/oss-fuzz.tar.gz |
libFLAC/bitwrite.c: Add sanity check to prevent DOS attacktopic/oss-fuzz
When fuzzing the encoder it is possible to cause the encoder to
to take 10s of seconds or more encoding relatively short chunks of
audio. Adding a sanity check for the number of bits and returning
false (indicating memory allocation failed) prevents this and seems
to have no effect in the encoding of non-fuzzing inputs.
Credit: Oss-Fuzz
Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17319
Testcase: fuzzer_encoder-5639344026550272
-rw-r--r-- | src/libFLAC/bitwriter.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c index ed7ae0e8..95d4998c 100644 --- a/src/libFLAC/bitwriter.c +++ b/src/libFLAC/bitwriter.c @@ -567,6 +567,10 @@ FLAC__bool FLAC__bitwriter_write_rice_signed_block(FLAC__BitWriter *bw, const FL msbits = uval >> parameter; total_bits = lsbits + msbits; + /* sanity check */ + if (total_bits > 8 * 8196) + return false; + if(bw->bits && bw->bits + total_bits < FLAC__BITS_PER_WORD) { /* i.e. if the whole thing fits in the current bwword */ /* ^^^ if bw->bits is 0 then we may have filled the buffer and have no free bwword to work in */ bw->bits += total_bits; |