libFLAC: Restrict number of bytes in a frame
Bug: 170738121
Test: POC in bug descriptions
Change-Id: I177537ed1b54cb1d61ea8d75203637cecc594696
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
index 6707017..51a438c 100644
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@@ -2996,7 +2996,7 @@
FLAC__uint64 first_frame_offset = decoder->private_->first_frame_offset, lower_bound, upper_bound, lower_bound_sample, upper_bound_sample, this_frame_sample;
FLAC__int64 pos = -1;
int i;
- uint32_t approx_bytes_per_frame;
+ FLAC__int64 approx_bytes_per_frame;
FLAC__bool first_seek = true;
const FLAC__uint64 total_samples = FLAC__stream_decoder_get_total_samples(decoder);
const uint32_t min_blocksize = decoder->private_->stream_info.data.stream_info.min_blocksize;
@@ -3041,6 +3041,12 @@
upper_bound = stream_length;
upper_bound_sample = total_samples > 0 ? total_samples : target_sample /*estimate it*/;
+ /* seeking beyond the end of the stream */
+ if(target_sample > upper_bound_sample) {
+ decoder->protected_->state = FLAC__STREAM_DECODER_SEEK_ERROR;
+ return false;
+ }
+
/*
* Now we refine the bounds if we have a seektable with
* suitable points. Note that according to the spec they
@@ -3169,7 +3175,7 @@
return false;
}
/* our last move backwards wasn't big enough, try again */
- approx_bytes_per_frame = approx_bytes_per_frame? approx_bytes_per_frame * 2 : 16;
+ approx_bytes_per_frame = (approx_bytes_per_frame > (upper_bound - lower_bound)) ? (upper_bound - lower_bound) : approx_bytes_per_frame ? approx_bytes_per_frame * 2 : 16;
continue;
}
/* allow one seek over upper bound, so we can get a correct upper_bound_sample for streams with unknown total_samples */
