libFLAC/stream_decoder.c: fix integer overflow on corrupt file
authorHakan Kvist <hakan.kvist@sony.com>
Tue, 22 Oct 2019 18:44:58 +0000 (20:44 +0200)
committerErik de Castro Lopo <erikd@mega-nerd.com>
Wed, 23 Oct 2019 19:57:47 +0000 (06:57 +1100)
Corrupt metadata could make the length calculation overflow.

src/libFLAC/stream_decoder.c

index 5b96086..7034cce 100644 (file)
@@ -1628,6 +1628,8 @@ FLAC__bool read_metadata_streaminfo_(FLAC__StreamDecoder *decoder, FLAC__bool is
 
        /* skip the rest of the block */
        FLAC__ASSERT(used_bits % 8 == 0);
+       if (length < (used_bits / 8))
+               return false; /* read_callback_ sets the state for us */
        length -= (used_bits / 8);
        if(!FLAC__bitreader_skip_byte_block_aligned_no_crc(decoder->private_->input, length))
                return false; /* read_callback_ sets the state for us */