Skip to content

Commit

Permalink
Fix heap overflow under out-of-memory conditions ... (#764)
Browse files Browse the repository at this point in the history 
... and use realloc of linkdetails more efficiently. This should
reduce the number of fuzzer timeouts for fuzzer_seek

Credit: Oss-Fuzz
Issue: https://issues.oss-fuzz.com/issues/379254072
  • Loading branch information
@ktmf01
ktmf01 authored Nov 28, 2024
1 parent a0e30a4 commit e3a7157
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions src/libFLAC/ogg_decoder_aspect.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,15 +146,15 @@ static FLAC__OggDecoderAspectReadStatus process_page_(FLAC__OggDecoderAspect *as

static FLAC__bool check_size_of_link_allocation_(FLAC__OggDecoderAspect *aspect)
{
/* reallocate in chunks of 4 */
/* double on reallocating */
if(aspect->current_linknumber >= aspect->number_of_links_allocated || aspect->current_linknumber_advance_read >= aspect->number_of_links_allocated) {
FLAC__OggDecoderAspect_LinkDetails * tmpptr = NULL;
if(NULL == (tmpptr = safe_realloc_nofree_mul_2op_(aspect->linkdetails,4+aspect->number_of_links_allocated,sizeof(FLAC__OggDecoderAspect_LinkDetails)))) {
if(NULL == (tmpptr = safe_realloc_nofree_mul_2op_(aspect->linkdetails,2*aspect->number_of_links_allocated,sizeof(FLAC__OggDecoderAspect_LinkDetails)))) {
return false;
}
aspect->linkdetails = tmpptr;
memset(aspect->linkdetails + aspect->number_of_links_allocated, 0, 4 * sizeof(FLAC__OggDecoderAspect_LinkDetails));
aspect->number_of_links_allocated += 4;
memset(aspect->linkdetails + aspect->number_of_links_allocated, 0, aspect->number_of_links_allocated * sizeof(FLAC__OggDecoderAspect_LinkDetails));
aspect->number_of_links_allocated *= 2;
}
return true;
}
Expand Down Expand Up @@ -454,6 +454,11 @@ FLAC__OggDecoderAspectReadStatus FLAC__ogg_decoder_aspect_skip_link(FLAC__OggDec
if(seek_callback == NULL || tell_callback == NULL || length_callback == NULL)
return FLAC__OGG_DECODER_ASPECT_READ_STATUS_CALLBACKS_NONFUNCTIONAL;

/* This extra check is here, because allocation failures while reading cannot always be
* properly passed down the chain with the current API. So, instead, check again */
if(!check_size_of_link_allocation_(aspect))
return FLAC__OGG_DECODER_ASPECT_READ_STATUS_MEMORY_ALLOCATION_ERROR;

if(aspect->current_linknumber < aspect->number_of_links_indexed) {
if(aspect->linkdetails[aspect->current_linknumber].is_last) {
/* Seek to end of stream */
Expand Down

0 comments on commit e3a7157

Please sign in to comment.