Fix some OOM metadata bugs, disable OOM checking in metadata fuzzing

For now OOM emulation in fuzzer_metadata is disabled, as I really want to get as much merged as soon as possible. Need to get back to this at some point
2022-08-19 21:33:15 +02:00 · 2022-08-19 21:33:15 +02:00 · 5bc582b2c7
commit 5bc582b2c7
parent 1f21ae2702
4 changed files with 36 additions and 17 deletions
--- a/oss-fuzz/fuzzer_metadata.cc
+++ b/oss-fuzz/fuzzer_metadata.cc
@ -61,7 +61,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)

 	command_length = data[0] >> 4;

-	if(data[1] < 128) /* Use MSB as on/off */
+	if(0)//data[1] < 128) /* Use MSB as on/off */
 		alloc_check_threshold = data[1];
 	else
 		alloc_check_threshold = INT32_MAX;
@ -218,22 +218,37 @@ static void run_tests_with_level_2_interface(char filename[], bool ogg, bool use
 			case 5:
 				if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
 					metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
-					if(!iterator.insert_block_before(metadata_block_put))
-						delete metadata_block_put;
+					if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
+						if(!iterator.insert_block_before(metadata_block_put))
+							delete metadata_block_put;
+					}
+					else
+						if(metadata_block_put != 0)
+							delete metadata_block_put;
 				}
 				break;
 			case 6:
 				if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
 					metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
-					if(!iterator.insert_block_after(metadata_block_put))
-						delete metadata_block_put;
+					if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
+						if(!iterator.insert_block_after(metadata_block_put))
+							delete metadata_block_put;
+					}
+					else
+						if(metadata_block_put != 0)
+							delete metadata_block_put;
 				}
 				break;
 			case 7:
 				if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) {
 					metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer);
-					if(!iterator.set_block(metadata_block_put))
-						delete metadata_block_put;
+					if(metadata_block_put != 0 && metadata_block_put->is_valid()) {
+						if(!iterator.set_block(metadata_block_put))
+							delete metadata_block_put;
+					}
+					else
+						if(metadata_block_put != 0)
+							delete metadata_block_put;
 				}
 				break;
 			case 8: /* Examine block */
--- a/oss-fuzz/fuzzer_seek.cc
+++ b/oss-fuzz/fuzzer_seek.cc
@ -47,11 +47,11 @@ int write_abort_check_counter = -1;
 static FLAC__StreamDecoderWriteStatus write_callback(const FLAC__StreamDecoder *decoder, const FLAC__Frame *frame, const FLAC__int32 *const buffer[], void *client_data)
 {
        (void)decoder, (void)frame, (void)buffer, (void)client_data;
-	if(write_abort_check_counter > 0)
+	if(write_abort_check_counter > 0) {
 		write_abort_check_counter--;
 		if(write_abort_check_counter == 0)
 			return FLAC__STREAM_DECODER_WRITE_STATUS_ABORT;
-	else if(write_abort_check_counter == 0)
+	} else if(write_abort_check_counter == 0)
 		/* This must not happen: write callback called after abort is returned */
 		abort();
        return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE;
@ -70,11 +70,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	uint8_t command_length;
 	FLAC__bool init_bools[16], ogg;

-        if(size > 2 && data[1] < 128) /* Use MSB as on/off */
-                alloc_check_threshold = data[1];
-        else
-                alloc_check_threshold = INT32_MAX;
-        alloc_check_counter = 0;
+	if(size > 2 && data[1] < 128) /* Use MSB as on/off */
+		alloc_check_threshold = data[1];
+	else
+		alloc_check_threshold = INT32_MAX;
+	alloc_check_counter = 0;

 	write_abort_check_counter = -1;

--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
@ -1183,8 +1183,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
 				return false;
 			for (uint32_t i = 0; i < new_num_comments; i++) {
 				object->data.vorbis_comment.comments[i].length = 0;
-				if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL)
+				if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) {
+					object->data.vorbis_comment.num_comments = i+1;
 					return false;
+				}
 				object->data.vorbis_comment.comments[i].entry[0] = '\0';
 			}
 		}
@ -1223,8 +1225,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St
 		if (new_size > old_size) {
 			for (uint32_t i = object->data.vorbis_comment.num_comments; i < new_num_comments; i++) {
 				object->data.vorbis_comment.comments[i].length = 0;
-				if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL)
+				if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) {
+					object->data.vorbis_comment.num_comments = i+1;
 					return false;
+				}
 				object->data.vorbis_comment.comments[i].entry[0] = '\0';
 			}
 		}
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@ -1525,7 +1525,7 @@ FLAC__bool read_metadata_(FLAC__StreamDecoder *decoder)
 						free(block.data.vorbis_comment.comments);
 					break;
 				case FLAC__METADATA_TYPE_CUESHEET:
-					if(block.data.cue_sheet.num_tracks > 0)
+					if(block.data.cue_sheet.num_tracks > 0 && 0 != block.data.cue_sheet.tracks)
 						for(i = 0; i < block.data.cue_sheet.num_tracks; i++)
 							if(0 != block.data.cue_sheet.tracks[i].indices)
 								free(block.data.cue_sheet.tracks[i].indices);