libFLAC/bitreader.c: Fix OOB read
authorErik de Castro Lopo <erikd@mega-nerd.com>
Sun, 25 Aug 2019 06:14:53 +0000 (16:14 +1000)
committerErik de Castro Lopo <erikd@mega-nerd.com>
Sun, 15 Sep 2019 20:18:07 +0000 (06:18 +1000)
Credit: OSS-Fuzz
Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16457
Testcase: fuzzer_decoder-5076189185572864

src/libFLAC/bitreader.c

index 935208a..9050743 100644 (file)
@@ -131,16 +131,19 @@ static inline void crc16_update_block_(FLAC__BitReader *br)
        if(br->consumed_words > br->crc16_offset && br->crc16_align)
                crc16_update_word_(br, br->buffer[br->crc16_offset++]);
 
+       /* Prevent OOB read due to wrap-around. */
+       if (br->consumed_words > br->crc16_offset) {
 #if FLAC__BYTES_PER_WORD == 4
-       br->read_crc16 = FLAC__crc16_update_words32(br->buffer + br->crc16_offset, br->consumed_words - br->crc16_offset, br->read_crc16);
+               br->read_crc16 = FLAC__crc16_update_words32(br->buffer + br->crc16_offset, br->consumed_words - br->crc16_offset, br->read_crc16);
 #elif FLAC__BYTES_PER_WORD == 8
-       br->read_crc16 = FLAC__crc16_update_words64(br->buffer + br->crc16_offset, br->consumed_words - br->crc16_offset, br->read_crc16);
+               br->read_crc16 = FLAC__crc16_update_words64(br->buffer + br->crc16_offset, br->consumed_words - br->crc16_offset, br->read_crc16);
 #else
-       unsigned i;
+               unsigned i;
 
-       for(i = br->crc16_offset; i < br->consumed_words; i++)
-               crc16_update_word_(br, br->buffer[i]);
+               for (i = br->crc16_offset; i < br->consumed_words; i++)
+                       crc16_update_word_(br, br->buffer[i]);
 #endif
+       }
 
        br->crc16_offset = 0;
 }