libFLAC allocates 1GB+ of memory if fed a malfored/crafted file
libFLAC code reading strings (mime, description) inside FLAC__METADATA_TYPE_PICTURE blocks does not sanitize input checking if the signaled amount of data can actually be read from the source. In case of malformed/crafted files, this can apparently lead to momentary allocation of up to 4GB of memory, possibly leading to a denial of service condition (application becoming unresponsive or getting terminated by the operating system).
Sample files attached, generated using my fuzzer tool:
fuzz-00627131.flac fuzz-00028878.flac fuzz-00301843.flac
Breakpoint methods in shared/alloc.h to see extreme memory allocation requests while reading these.
There appear to be at least two code paths having the same essential issue-
- FLAC__metadata_chain_read_with_callbacks >> read_metadata_block_data_picture_cstring_cb_
- FLAC__stream_decoder_process_until_end_of_metadata >> read_metadata_picture_