Commit 43ba7ad0 authored by Erik de Castro Lopo's avatar Erik de Castro Lopo
Browse files

src/libFLAC/stream_decoder.c : Fix another input validation bug.

If a file says it contains a stupidly large number of vorbis comments,
the stream decoder would try to allocate enough memory which would fail
returning NULL and then write to that pointer anyway. The solution is
to set a hard limit of 10000 vorbis comments and force num_comments to
zero if the number is too large.

Problem found using the afl (american fuzzy lop) fuzzer.

Reported-by : Hanno Böck <>
parent 0e11f73e
......@@ -1728,6 +1728,11 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
return false; /* read_callback_ sets the state for us */
/* read comments */
if (obj->num_comments > 100000) {
/* Possibly malicious file. */
obj->num_comments = 0;
return false;
if (obj->num_comments > 0) {
if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment