Skip to content

Commit

Permalink
Fix heap overflow under out-of-memory conditions ...
Browse files Browse the repository at this point in the history 
... and use realloc of linkdetails more efficiently. This should
reduce the number of fuzzer timeouts for fuzzer_seek

Credit: Oss-Fuzz
Issue: https://issues.oss-fuzz.com/issues/379254072
  • Loading branch information
@ktmf01
ktmf01 committed Nov 28, 2024
1 parent a0e30a4 commit 906858a
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions src/libFLAC/ogg_decoder_aspect.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,15 +146,15 @@ static FLAC__OggDecoderAspectReadStatus process_page_(FLAC__OggDecoderAspect *as

static FLAC__bool check_size_of_link_allocation_(FLAC__OggDecoderAspect *aspect)
{
/* reallocate in chunks of 4 */
/* double on reallocating */
if(aspect->current_linknumber >= aspect->number_of_links_allocated || aspect->current_linknumber_advance_read >= aspect->number_of_links_allocated) {
FLAC__OggDecoderAspect_LinkDetails * tmpptr = NULL;
if(NULL == (tmpptr = safe_realloc_nofree_mul_2op_(aspect->linkdetails,4+aspect->number_of_links_allocated,sizeof(FLAC__OggDecoderAspect_LinkDetails)))) {
if(NULL == (tmpptr = safe_realloc_nofree_mul_2op_(aspect->linkdetails,2*aspect->number_of_links_allocated,sizeof(FLAC__OggDecoderAspect_LinkDetails)))) {
return false;
}
aspect->linkdetails = tmpptr;
memset(aspect->linkdetails + aspect->number_of_links_allocated, 0, 4 * sizeof(FLAC__OggDecoderAspect_LinkDetails));
aspect->number_of_links_allocated += 4;
memset(aspect->linkdetails + aspect->number_of_links_allocated, 0, aspect->number_of_links_allocated * sizeof(FLAC__OggDecoderAspect_LinkDetails));
aspect->number_of_links_allocated *= 2;
}
return true;
}
Expand Down Expand Up @@ -454,6 +454,11 @@ FLAC__OggDecoderAspectReadStatus FLAC__ogg_decoder_aspect_skip_link(FLAC__OggDec
if(seek_callback == NULL || tell_callback == NULL || length_callback == NULL)
return FLAC__OGG_DECODER_ASPECT_READ_STATUS_CALLBACKS_NONFUNCTIONAL;

/* This extra check is here, because allocation failures while reading cannot always be
* properly passed down the chain with the current API. So, instead, check again */
if(!check_size_of_link_allocation_(aspect))
return FLAC__OGG_DECODER_ASPECT_READ_STATUS_MEMORY_ALLOCATION_ERROR;

if(aspect->current_linknumber < aspect->number_of_links_indexed) {
if(aspect->linkdetails[aspect->current_linknumber].is_last) {
/* Seek to end of stream */
Expand Down

0 comments on commit 906858a

Please sign in to comment.