mirrors
/
flac
mirror of https://github.com/xiph/flac
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix some OOM metadata bugs, disable OOM checking in metadata fuzzing 

For now OOM emulation in fuzzer_metadata is disabled, as I really
want to get as much merged as soon as possible. Need to get back
to this at some point
This commit is contained in:
Martijn van Beurden 2022-08-19 21:33:15 +02:00
parent 1f21ae2702
commit 5bc582b2c7
4 changed files with 36 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
oss-fuzz/fuzzer_metadata.cc
View File

@ -61,7 +61,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
command_length = data[0] >> 4;
if(data[1] < 128) /* Use MSB as on/off */
if(0)//data[1] < 128) /* Use MSB as on/off */
alloc_check_threshold = data[1];
else
alloc_check_threshold = INT32_MAX;
@ -218,22 +218,37 @@ static void run_tests_with_level_2_interface(char filename[], bool ogg, bool use
case 5:
if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
if(!iterator.insert_block_before(metadata_block_put))
delete metadata_block_put;
if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
if(!iterator.insert_block_before(metadata_block_put))
delete metadata_block_put;
}
else
if(metadata_block_put != 0)
delete metadata_block_put;
}
break;
case 6:
if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
if(!iterator.insert_block_after(metadata_block_put))
delete metadata_block_put;
if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
if(!iterator.insert_block_after(metadata_block_put))
delete metadata_block_put;
}
else
if(metadata_block_put != 0)
delete metadata_block_put;
}
break;
case 7:
if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
if(!iterator.set_block(metadata_block_put))
delete metadata_block_put;
if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
if(!iterator.set_block(metadata_block_put))
delete metadata_block_put;
}
else
if(metadata_block_put != 0)
delete metadata_block_put;
}
break;
case 8: /* Examine block */

14
oss-fuzz/fuzzer_seek.cc
View File

@ -47,11 +47,11 @@ int write_abort_check_counter = -1;
static FLAC__StreamDecoderWriteStatus write_callback(const FLAC__StreamDecoder *decoder, const FLAC__Frame *frame, const FLAC__int32 *const buffer[], void *client_data)
{
(void)decoder, (void)frame, (void)buffer, (void)client_data;
if(write_abort_check_counter > 0)
if(write_abort_check_counter > 0) {
write_abort_check_counter--;
if(write_abort_check_counter == 0)
return FLAC__STREAM_DECODER_WRITE_STATUS_ABORT;
else if(write_abort_check_counter == 0)
} else if(write_abort_check_counter == 0)
/* This must not happen: write callback called after abort is returned */
abort();
return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE;
@ -70,11 +70,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
uint8_t command_length;
FLAC__bool init_bools[16], ogg;
if(size > 2 && data[1] < 128) /* Use MSB as on/off */
alloc_check_threshold = data[1];
else
alloc_check_threshold = INT32_MAX;
alloc_check_counter = 0;
if(size > 2 && data[1] < 128) /* Use MSB as on/off */
alloc_check_threshold = data[1];
else
alloc_check_threshold = INT32_MAX;
alloc_check_counter = 0;
write_abort_check_counter = -1;

8
src/libFLAC/metadata_object.c
View File

@ -1183,8 +1183,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
return false;
for (uint32_t i = 0; i < new_num_comments; i++) {
object->data.vorbis_comment.comments[i].length = 0;
if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL)
if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) {
object->data.vorbis_comment.num_comments = i+1;
return false;
}
object->data.vorbis_comment.comments[i].entry[0] = '\0';
}
}
@ -1223,8 +1225,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
if (new_size > old_size) {
for (uint32_t i = object->data.vorbis_comment.num_comments; i < new_num_comments; i++) {
object->data.vorbis_comment.comments[i].length = 0;
if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL)
if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) {
object->data.vorbis_comment.num_comments = i+1;
return false;
}
object->data.vorbis_comment.comments[i].entry[0] = '\0';
}
}

2
src/libFLAC/stream_decoder.c
View File

@ -1525,7 +1525,7 @@ FLAC__bool read_metadata_(FLAC__StreamDecoder *decoder)
free(block.data.vorbis_comment.comments);
break;
case FLAC__METADATA_TYPE_CUESHEET:
if(block.data.cue_sheet.num_tracks > 0)
if(block.data.cue_sheet.num_tracks > 0 && 0 != block.data.cue_sheet.tracks)
for(i = 0; i < block.data.cue_sheet.num_tracks; i++)
if(0 != block.data.cue_sheet.tracks[i].indices)
free(block.data.cue_sheet.tracks[i].indices);