diff options
| author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-11-28 23:39:25 +1100 |
|---|---|---|
| committer | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-11-29 18:08:33 +1100 |
| commit | 43ba7ad05f1656e885ce2f34a9a72494f45705ae (patch) | |
| tree | d9decfb2d769d9a85b0a48b9f5e5f802cb6449a5 /src/libFLAC/stream_decoder.c | |
| parent | 0e11f73eabd3544f59937d0a0d8e076d7c9c2d1d (diff) | |
| download | flac-43ba7ad05f1656e885ce2f34a9a72494f45705ae.tar.gz | |
src/libFLAC/stream_decoder.c : Fix another input validation bug.
If a file says it contains a stupidly large number of vorbis comments,
the stream decoder would try to allocate enough memory which would fail
returning NULL and then write to that pointer anyway. The solution is
to set a hard limit of 10000 vorbis comments and force num_comments to
zero if the number is too large.
Problem found using the afl (american fuzzy lop) fuzzer.
Closes: https://sourceforge.net/p/flac/bugs/421/
Reported-by : Hanno Böck <hanno@hboeck.de>
Diffstat (limited to 'src/libFLAC/stream_decoder.c')
| -rw-r--r-- | src/libFLAC/stream_decoder.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index 6632d312..3e9a40ed 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -1728,6 +1728,11 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre return false; /* read_callback_ sets the state for us */ /* read comments */ + if (obj->num_comments > 100000) { + /* Possibly malicious file. */ + obj->num_comments = 0; + return false; + } if (obj->num_comments > 0) { if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) { decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; |