From 10c0a5f610446d04c7e2794a0884acb22bb5859f Mon Sep 17 00:00:00 2001 From: Martijn van Beurden Date: Wed, 29 Jun 2022 09:14:29 +0200 Subject: [PATCH] Add INT64_MAX limit to seekpoints FLAC seekpoints are coded in unsigned 64-bit ints, but the code handling them uses signed 64-bit ints. Since users are unlikely to run into this limit anyway, do not use seekpoints larger than INT64_MAX Credit: Oss-Fuzz Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48112 --- src/libFLAC/stream_decoder.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index 689bd2bb..fe8c451a 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -3283,7 +3283,9 @@ FLAC__bool seek_to_absolute_sample_(FLAC__StreamDecoder *decoder, FLAC__uint64 s * must be ordered by ascending sample number. * * Note: to protect against invalid seek tables we will ignore points - * that have frame_samples==0 or sample_number>=total_samples + * that have frame_samples==0 or sample_number>=total_samples. Also, + * because math is limited to 64-bit ints, seekpoints with an offset + * larger than 2^63 (8 exbibyte) are rejected. */ if(seek_table) { FLAC__uint64 new_lower_bound = lower_bound; @@ -3312,7 +3314,8 @@ FLAC__bool seek_to_absolute_sample_(FLAC__StreamDecoder *decoder, FLAC__uint64 s seek_table->points[i].sample_number != FLAC__STREAM_METADATA_SEEKPOINT_PLACEHOLDER && seek_table->points[i].frame_samples > 0 && /* defense against bad seekpoints */ (total_samples <= 0 || seek_table->points[i].sample_number < total_samples) && /* defense against bad seekpoints */ - seek_table->points[i].sample_number > target_sample + seek_table->points[i].sample_number > target_sample && + seek_table->points[i].stream_offset < (FLAC__uint64)INT64_MAX ) break; }