src/libFLAC/stream_decoder.c : Fix seek bug.
Janne Hyvärinen reported a problem with seeking as a result of the
fix for CVE-2014-9028. This is a different solution to the issue
that should not adversely affect seeking.
This version of the fix for the above CVE has been extensively fuzz
tested using afl (http://lcamtuf.coredump.cx/afl/).
Reported-by: Janne Hyvärinen <cse@sci.fi>
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
index 3e9a40e..d599580 100644
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@@ -1281,6 +1281,9 @@
unsigned i;
FLAC__int32 *tmp;
+ /* Make sure size is some sensible minimum value. Plumb through predictor_order maybe? */
+ size = size < FLAC__MAX_LPC_ORDER ? FLAC__MAX_LPC_ORDER : size ;
+
if(size <= decoder->private_->output_capacity && channels <= decoder->private_->output_channels)
return true;
@@ -2741,16 +2744,14 @@
if(decoder->private_->frame.header.blocksize < predictor_order) {
send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
- /* We have received a potentially malicious bit stream. All we can do is error out to avoid a heap overflow. */
- return false;
+ return true;
}
}
else {
if(partition_samples < predictor_order) {
send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
- /* We have received a potentially malicious bit stream. All we can do is error out to avoid a heap overflow. */
- return false;
+ return true;
}
}