Commit ff50779e authored by Erik de Castro Lopo's avatar Erik de Castro Lopo
Browse files

libFLAC: More comment validation

When the allocation for obj->comment fails, set obj->num_comments
to zero.

Patch-from: lvqcl <lvqcl.mail@gmail.com>
parent 5e66846a
...@@ -2255,8 +2255,10 @@ FLAC__Metadata_SimpleIteratorStatus read_metadata_block_data_vorbis_comment_cb_( ...@@ -2255,8 +2255,10 @@ FLAC__Metadata_SimpleIteratorStatus read_metadata_block_data_vorbis_comment_cb_(
if(block->num_comments == 0) { if(block->num_comments == 0) {
block->comments = 0; block->comments = 0;
} }
else if(0 == (block->comments = calloc(block->num_comments, sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) else if(0 == (block->comments = calloc(block->num_comments, sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
block->num_comments = 0;
return FLAC__METADATA_SIMPLE_ITERATOR_STATUS_MEMORY_ALLOCATION_ERROR; return FLAC__METADATA_SIMPLE_ITERATOR_STATUS_MEMORY_ALLOCATION_ERROR;
}
for(i = 0; i < block->num_comments; i++) { for(i = 0; i < block->num_comments; i++) {
status = read_metadata_block_data_vorbis_comment_entry_cb_(handle, read_cb, block->comments + i, block_length); status = read_metadata_block_data_vorbis_comment_entry_cb_(handle, read_cb, block->comments + i, block_length);
......
...@@ -574,6 +574,7 @@ FLAC_API FLAC__StreamMetadata *FLAC__metadata_object_clone(const FLAC__StreamMet ...@@ -574,6 +574,7 @@ FLAC_API FLAC__StreamMetadata *FLAC__metadata_object_clone(const FLAC__StreamMet
FLAC__ASSERT(0 != object->data.vorbis_comment.comments); FLAC__ASSERT(0 != object->data.vorbis_comment.comments);
to->data.vorbis_comment.comments = vorbiscomment_entry_array_copy_(object->data.vorbis_comment.comments, object->data.vorbis_comment.num_comments); to->data.vorbis_comment.comments = vorbiscomment_entry_array_copy_(object->data.vorbis_comment.comments, object->data.vorbis_comment.num_comments);
if(0 == to->data.vorbis_comment.comments) { if(0 == to->data.vorbis_comment.comments) {
to->data.vorbis_comment.num_comments = 0;
FLAC__metadata_object_delete(to); FLAC__metadata_object_delete(to);
return 0; return 0;
} }
...@@ -1195,8 +1196,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St ...@@ -1195,8 +1196,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
free(object->data.vorbis_comment.comments); free(object->data.vorbis_comment.comments);
object->data.vorbis_comment.comments = 0; object->data.vorbis_comment.comments = 0;
} }
else if(0 == (object->data.vorbis_comment.comments = realloc(object->data.vorbis_comment.comments, new_size))) else if(0 == (object->data.vorbis_comment.comments = realloc(object->data.vorbis_comment.comments, new_size))) {
object->data.vorbis_comment.num_comments = 0;
return false; return false;
}
/* if growing, zero all the length/pointers of new elements */ /* if growing, zero all the length/pointers of new elements */
if(new_size > old_size) if(new_size > old_size)
......
...@@ -1735,6 +1735,7 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre ...@@ -1735,6 +1735,7 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
} }
if (obj->num_comments > 0) { if (obj->num_comments > 0) {
if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) { if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
obj->num_comments = 0;
decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
return false; return false;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment