From 21b1db4a7891afdd453ee60085afc92cf61913ca Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Thu, 23 Feb 2017 13:01:03 +0100 Subject: [PATCH] Report format error when order > frame length A file where this happens is invalid. Instead of causing an index out of bounds, this should report an error. Fortunately this is Rust, which panics on out of bounds indexing, instead of C which would have had an out of bounds read. Found using libfuzzer and cargo-fuzz. --- src/subframe.rs | 7 +++++++ .../5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac | Bin 0 -> 177 bytes 2 files changed, 7 insertions(+) create mode 100644 testsamples/fuzz/5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac diff --git a/src/subframe.rs b/src/subframe.rs index c8463e4..cd82216 100644 --- a/src/subframe.rs +++ b/src/subframe.rs @@ -583,6 +583,13 @@ fn decode_lpc(input: &mut Bitstream, // The order minus one fits in 5 bits, so the order is at most 32. debug_assert!(order <= 32); + // On the frame decoding level it is ensured that the buffer is large + // enough. If it can't even fit the warm-up samples, then there is a frame + // smaller than its lpc order, which is invalid. + if buffer.len() < order as usize { + return fmt_err("invalid subframe, buffer is too small for given lpc order") + } + // There are order * bits per sample unencoded warm-up sample bits. try!(decode_verbatim(input, bps, &mut buffer[..order as usize])); diff --git a/testsamples/fuzz/5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac b/testsamples/fuzz/5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac new file mode 100644 index 0000000000000000000000000000000000000000..e501bab7b6677421631660f3b190f977758cbfe7 GIT binary patch literal 177 zcmYfENpx;tU{DfZ5MW?num>WpBMu*cOsfna0S02zbJ$-y9$oJN|4WMgLz zpz%Ts3?&QpwR#S#Xu4O*7zoj literal 0 HcmV?d00001