diff options
author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-12-17 19:02:26 +1100 |
---|---|---|
committer | SteadyQuad <SteadyQuad@gmail.com> | 2016-10-21 21:23:30 +0200 |
commit | 34e4013ec49ae821dc15e231b078cb0f414530ef (patch) | |
tree | df4d0fd303239806eed9598d470a669a946201b6 | |
parent | 6e50dc96093ac71c1856da8546d6bf04681ce820 (diff) | |
download | android_external_flac-cm-11.0.tar.gz android_external_flac-cm-11.0.tar.bz2 android_external_flac-cm-11.0.zip |
src/libFLAC/stream_decoder.c : Fix NULL de-reference.cm-11.0
NULL de-reference can really only happen on a malformed file.
Found using afl (http://lcamtuf.coredump.cx/afl/).
Bug: 27211885
Change-Id: Iad7ced634d417df475050c8f379e0e95ec36b115
(cherry picked from commit 83a817d2002b2b439ed85c002b18666b4dcb6cfd)
-rw-r--r-- | libFLAC/stream_decoder.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libFLAC/stream_decoder.c b/libFLAC/stream_decoder.c index d9bbb6e..81f4bf8 100644 --- a/libFLAC/stream_decoder.c +++ b/libFLAC/stream_decoder.c @@ -1722,8 +1722,10 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre } for(i = 0; i < obj->num_comments; i++) { FLAC__ASSERT(FLAC__STREAM_METADATA_VORBIS_COMMENT_ENTRY_LENGTH_LEN == 32); - if(!FLAC__bitreader_read_uint32_little_endian(decoder->private_->input, &obj->comments[i].length)) + if( !FLAC__bitreader_read_uint32_little_endian(decoder->private_->input, &obj->comments[i].length)) { + obj->num_comments = i; return false; /* read_callback_ sets the state for us */ + } if(obj->comments[i].length > 0) { if(0 == (obj->comments[i].entry = safe_malloc_add_2op_(obj->comments[i].length, /*+*/1))) { decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; |