From 4f2115f41f38598173d0d01d08b7dfb1f2a5fa94 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Mon, 7 Oct 2019 17:58:57 +1100
Subject: libFLAC/bitwrite.c: Add sanity check to prevent DOS attack

When fuzzing the encoder it is possible to cause the encoder to
to take 10s of seconds or more encoding relatively short chunks of
audio. Adding a sanity check for the number of bits and returning
false (indicating memory allocation failed) prevents this and seems
to have no effect in the encoding of non-fuzzing inputs.

Credit: Oss-Fuzz
Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17319
Testcase: fuzzer_encoder-5639344026550272
---
 src/libFLAC/bitwriter.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
index ed7ae0e8..95d4998c 100644
--- a/src/libFLAC/bitwriter.c
+++ b/src/libFLAC/bitwriter.c
@@ -567,6 +567,10 @@ FLAC__bool FLAC__bitwriter_write_rice_signed_block(FLAC__BitWriter *bw, const FL
 		msbits = uval >> parameter;
 		total_bits = lsbits + msbits;
 
+		/* sanity check */
+		if (total_bits > 8 * 8196)
+			return false;
+
 		if(bw->bits && bw->bits + total_bits < FLAC__BITS_PER_WORD) { /* i.e. if the whole thing fits in the current bwword */
 			/* ^^^ if bw->bits is 0 then we may have filled the buffer and have no free bwword to work in */
 			bw->bits += total_bits;
-- 
cgit v1.2.1