flac/metaflac: Limit the size of metadata blocks

Limit allow image file size to slightly less than 2^24 bytes so that
the file size plus extra house keeping data is strictly less that
2^24 bytes in size.

Patch-from: lvqcl <lvqcl.mail@gmail.com>

2 files changed, 4 insertions, 4 deletions

diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
index 33db80b4..05ca6b31 100644
--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
@@ -1799,9 +1799,6 @@ FLAC_API FLAC__bool FLAC__metadata_object_picture_set_data(FLAC__StreamMetadata
 	FLAC__ASSERT(object->type == FLAC__METADATA_TYPE_PICTURE);
 	FLAC__ASSERT((0 != data && length > 0) || (0 == data && length == 0 && copy == false));
 
-	if(length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
-		return false;
-
 	old = object->data.picture.data;
 
 	/* do the copy first so that if we fail we leave the object untouched */
diff --git a/src/share/grabbag/picture.c b/src/share/grabbag/picture.c
index cca4b7fe..6d0578c1 100644
--- a/src/share/grabbag/picture.c
+++ b/src/share/grabbag/picture.c
@@ -287,7 +287,7 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
 	if (size < 0)
 		return error_messages[5];
 
-	if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
+	if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN)) /* actual limit is less because of other fields in the PICTURE metadata block */
 		return error_messages[11];
 
 	if ((buffer = safe_malloc_(size)) == NULL)
@@ -313,6 +313,9 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
 	/* try to extract resolution/color info if user left it blank */
 	else if ((obj->data.picture.width == 0 || obj->data.picture.height == 0 || obj->data.picture.depth == 0) && !local__extract_resolution_color_info_(&obj->data.picture))
 		error_message = error_messages[4];
+	/* check metadata block size */
+	else if (obj->length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
+		error_message = error_messages[11];
 
 	return error_message;
 }