Commit b4b2910b authored by Erik de Castro Lopo's avatar Erik de Castro Lopo
Browse files

src/libFLAC/stream_decoder.c : Fix seek bug.

Janne Hyvärinen reported a problem with seeking as a result of the
fix for CVE-2014-9028. This is a different solution to the issue
that should not adversely affect seeking.

This version of the fix for the above CVE has been extensively fuzz
tested using afl (http://lcamtuf.coredump.cx/afl/

).
Reported-by: default avatarJanne Hyvärinen <cse@sci.fi>
parent 3ff1b9d3
......@@ -1281,6 +1281,9 @@ FLAC__bool allocate_output_(FLAC__StreamDecoder *decoder, unsigned size, unsigne
unsigned i;
FLAC__int32 *tmp;
/* Make sure size is some sensible minimum value. Plumb through predictor_order maybe? */
size = size < FLAC__MAX_LPC_ORDER ? FLAC__MAX_LPC_ORDER : size ;
if(size <= decoder->private_->output_capacity && channels <= decoder->private_->output_channels)
return true;
......@@ -2741,16 +2744,14 @@ FLAC__bool read_residual_partitioned_rice_(FLAC__StreamDecoder *decoder, unsigne
if(decoder->private_->frame.header.blocksize < predictor_order) {
send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
/* We have received a potentially malicious bit stream. All we can do is error out to avoid a heap overflow. */
return false;
return true;
}
}
else {
if(partition_samples < predictor_order) {
send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
/* We have received a potentially malicious bit stream. All we can do is error out to avoid a heap overflow. */
return false;
return true;
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment