commit 43ba7ad05f1656e885ce2f34a9a72494f45705ae
author Erik de Castro Lopo <erikd@mega-nerd.com> Fri Nov 28 23:39:25 2014 +1100
committer Erik de Castro Lopo <erikd@mega-nerd.com> Sat Nov 29 18:08:33 2014 +1100
tree d9decfb2d769d9a85b0a48b9f5e5f802cb6449a5
parent 0e11f73eabd3544f59937d0a0d8e076d7c9c2d1d

src/libFLAC/stream_decoder.c : Fix another input validation bug.

If a file says it contains a stupidly large number of vorbis comments,
the stream decoder would try to allocate enough memory which would fail
returning NULL and then write to that pointer anyway. The solution is
to set a hard limit of 10000 vorbis comments and force num_comments to
zero if the number is too large.

Problem found using the afl (american fuzzy lop) fuzzer.

Closes: https://sourceforge.net/p/flac/bugs/421/
Reported-by : Hanno Böck <hanno@hboeck.de>

src/libFLAC/stream_decoder.c

diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
index 6632d31..3e9a40e 100644
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@@ -1728,6 +1728,11 @@
 			return false; /* read_callback_ sets the state for us */
 
 		/* read comments */
+		if (obj->num_comments > 100000) {
+			/* Possibly malicious file. */
+			obj->num_comments = 0;
+			return false;
+		}
 		if (obj->num_comments > 0) {
 			if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
 				decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;