libFLAC: More comment validation
authorErik de Castro Lopo <erikd@mega-nerd.com>
Sun, 5 Jul 2015 11:21:44 +0000 (21:21 +1000)
committerErik de Castro Lopo <erikd@mega-nerd.com>
Sun, 5 Jul 2015 11:21:48 +0000 (21:21 +1000)
When the allocation for obj->comment fails, set obj->num_comments
to zero.

Patch-from: lvqcl <lvqcl.mail@gmail.com>

src/libFLAC/metadata_iterators.c
src/libFLAC/metadata_object.c
src/libFLAC/stream_decoder.c

index 1e28925..4527878 100644 (file)
@@ -2255,8 +2255,10 @@ FLAC__Metadata_SimpleIteratorStatus read_metadata_block_data_vorbis_comment_cb_(
        if(block->num_comments == 0) {
                block->comments = 0;
        }
-       else if(0 == (block->comments = calloc(block->num_comments, sizeof(FLAC__StreamMetadata_VorbisComment_Entry))))
+       else if(0 == (block->comments = calloc(block->num_comments, sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
+               block->num_comments = 0;
                return FLAC__METADATA_SIMPLE_ITERATOR_STATUS_MEMORY_ALLOCATION_ERROR;
+       }
 
        for(i = 0; i < block->num_comments; i++) {
                status = read_metadata_block_data_vorbis_comment_entry_cb_(handle, read_cb, block->comments + i, block_length);
index a799bf8..82abe41 100644 (file)
@@ -574,6 +574,7 @@ FLAC_API FLAC__StreamMetadata *FLAC__metadata_object_clone(const FLAC__StreamMet
                                        FLAC__ASSERT(0 != object->data.vorbis_comment.comments);
                                        to->data.vorbis_comment.comments = vorbiscomment_entry_array_copy_(object->data.vorbis_comment.comments, object->data.vorbis_comment.num_comments);
                                        if(0 == to->data.vorbis_comment.comments) {
+                                               to->data.vorbis_comment.num_comments = 0;
                                                FLAC__metadata_object_delete(to);
                                                return 0;
                                        }
@@ -1195,8 +1196,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
                        free(object->data.vorbis_comment.comments);
                        object->data.vorbis_comment.comments = 0;
                }
-               else if(0 == (object->data.vorbis_comment.comments = realloc(object->data.vorbis_comment.comments, new_size)))
+               else if(0 == (object->data.vorbis_comment.comments = realloc(object->data.vorbis_comment.comments, new_size))) {
+                       object->data.vorbis_comment.num_comments = 0;
                        return false;
+               }
 
                /* if growing, zero all the length/pointers of new elements */
                if(new_size > old_size)
index b2075b8..231422c 100644 (file)
@@ -1735,6 +1735,7 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
                }
                if (obj->num_comments > 0) {
                        if (0 == (obj->comments = safe_malloc_mul_2op_p(obj->num_comments, /*times*/sizeof(FLAC__StreamMetadata_VorbisComment_Entry)))) {
+                               obj->num_comments = 0;
                                decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;
                                return false;
                        }