Check for overflow when multiplying skip samples with sample size

Credit: Oss-Fuzz Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58606
2023-05-08 17:04:59 +02:00 · 2023-05-08 17:04:59 +02:00 · 22fffdceb8
parent afad04f0a9
commit 22fffdceb8
2 changed files with 14 additions and 0 deletions
--- a/include/share/compat.h
+++ b/include/share/compat.h
@ -52,6 +52,7 @@
 #if defined _MSC_VER || defined __BORLANDC__ || defined __MINGW32__
 #include <sys/types.h> /* for off_t */
 #define FLAC__off_t __int64 /* use this instead of off_t to fix the 2 GB limit */
+#define FLAC__OFF_T_MAX INT64_MAX
 #if !defined __MINGW32__
 #define fseeko _fseeki64
 #define ftello _ftelli64
@ -63,8 +64,11 @@
 #endif
 #else
 #define FLAC__off_t off_t
+#define FLAC__OFF_T_MAX OFF_T_MAX
 #endif

+
+
 #ifdef HAVE_INTTYPES_H
 #define __STDC_FORMAT_MACROS
 #include <inttypes.h>
--- a/src/flac/encode.c
+++ b/src/flac/encode.c
@ -1038,6 +1038,11 @@ int flac__encode_file(FILE *infile, FLAC__off_t infilesize, const char *infilena
 		/* adjust encoding parameters based on skip and until values */
 		switch(options.format) {
 			case FORMAT_RAW:
+				FLAC__ASSERT(sizeof(FLAC__off_t) == 8);
+				if(skip >= INT64_MAX / encoder_session.info.bytes_per_wide_sample) {
+					flac__utils_printf(stderr, 1, "%s: ERROR: value of --skip is too large\n", encoder_session.inbasefilename, encoder_session.info.bits_per_sample-encoder_session.info.shift);
+					return EncoderSession_finish_error(&encoder_session);
+				}
 				infilesize -= (FLAC__off_t)skip * encoder_session.info.bytes_per_wide_sample;
 				encoder_session.total_samples_to_encode = total_samples_in_input - skip;
 				break;
@ -1046,6 +1051,11 @@ int flac__encode_file(FILE *infile, FLAC__off_t infilesize, const char *infilena
 			case FORMAT_RF64:
 			case FORMAT_AIFF:
 			case FORMAT_AIFF_C:
+				FLAC__ASSERT(sizeof(FLAC__off_t) == 8);
+				if(skip >= INT64_MAX / encoder_session.info.bytes_per_wide_sample) {
+					flac__utils_printf(stderr, 1, "%s: ERROR: value of --skip is too large\n", encoder_session.inbasefilename, encoder_session.info.bits_per_sample-encoder_session.info.shift);
+					return EncoderSession_finish_error(&encoder_session);
+				}
 				encoder_session.fmt.iff.data_bytes -= skip * encoder_session.info.bytes_per_wide_sample;
 				if(options.ignore_chunk_sizes) {
 					encoder_session.total_samples_to_encode = 0;