Limit maximum size of bitwriter buffer

In the past, various bugs have triggered libFLAC to write enormous
coded residuals. While these bugs have been fixed, this check is
added to limit the impact of possible remaining or future bugs

When a bitwriter is grown past the maximum sane size of a frame
(8 channels of 65535 samples with 24 + 4 bits per sample) this
indicates that such a bug was triggered. Instead of a possible
crash or creating unreadable files, bitwriter_grow_ fails as if
it could not allocate more memory.

1 files changed, 7 insertions, 0 deletions

diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
index 6e86585b..13e79d4d 100644
--- a/src/libFLAC/bitwriter.c
+++ b/src/libFLAC/bitwriter.c
@@ -38,7 +38,9 @@
 #include <string.h>
 #include "private/bitwriter.h"
 #include "private/crc.h"
+#include "private/format.h"
 #include "private/macros.h"
+#include "private/stream_encoder.h"
 #include "FLAC/assert.h"
 #include "share/alloc.h"
 #include "share/compat.h"
@@ -116,6 +118,11 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
 	if(bw->capacity >= new_capacity)
 		return true;
 
+	if(new_capacity * sizeof(bwword) > FLAC__MAX_BLOCK_SIZE * FLAC__MAX_CHANNELS * (FLAC__REFERENCE_CODEC_MAX_BITS_PER_SAMPLE + FLAC__MAX_EXTRA_RESIDUAL_BPS) / 8)
+		/* Requested new capacity is larger than the largest sane framesize.
+		 * That means something went very wrong somewhere. To prevent chrashing, give up */
+		return false;
+
 	/* round up capacity increase to the nearest FLAC__BITWRITER_DEFAULT_INCREMENT */
 	if((new_capacity - bw->capacity) % FLAC__BITWRITER_DEFAULT_INCREMENT)
 		new_capacity += FLAC__BITWRITER_DEFAULT_INCREMENT - ((new_capacity - bw->capacity) % FLAC__BITWRITER_DEFAULT_INCREMENT);