diff options
| author | Max Kellermann <max@duempel.org> | 2016-07-08 21:29:41 +0200 |
|---|---|---|
| committer | Erik de Castro Lopo <erikd@mega-nerd.com> | 2016-07-10 08:19:26 +1000 |
| commit | 9949ce15f66d1312e7f0692298cfe8087488330b (patch) | |
| tree | 4574c34fb643f2da2086afa9e90551bd51cb99f0 /src | |
| parent | 0a49fe7788ecab32a1238ecd45308afbbb580bec (diff) | |
| download | flac-9949ce15f66d1312e7f0692298cfe8087488330b.tar.gz | |
stream_decoder: fix integer underflow due to malformed wasted_bits
It is pretty easy for a malformed FLAC file to underflow the "bps"
variable. In the debug build, this results in an assertion failure in
FLAC__bitreader_read_raw_uint32():
FLAC__ASSERT(bits <= 32);
In non-debug builds, this simply makes
FLAC__bitreader_read_raw_uint32() fail because
bitreader_read_from_client_() doesn't find enough buffer space for
2**32-1 bits. But since the failing FLAC_ASSERT() is reasonable, this
should be caught in the FLAC__bitreader_read_raw_uint32() caller.
Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
Closes: https://github.com/xiph/flac/pull/13
Diffstat (limited to 'src')
| -rw-r--r-- | src/libFLAC/stream_decoder.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index fa0ef2ce..c3a903f9 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -2481,6 +2481,8 @@ FLAC__bool read_subframe_(FLAC__StreamDecoder *decoder, unsigned channel, unsign if(!FLAC__bitreader_read_unary_unsigned(decoder->private_->input, &u)) return false; /* read_callback_ sets the state for us */ decoder->private_->frame.subframes[channel].wasted_bits = u+1; + if (decoder->private_->frame.subframes[channel].wasted_bits >= bps) + return false; bps -= decoder->private_->frame.subframes[channel].wasted_bits; } else |