diff options
author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2014-11-19 19:35:59 -0800 |
---|---|---|
committer | Robert Shih <robertshih@google.com> | 2015-08-19 17:09:34 -0700 |
commit | 1d948ef7391c9e484658ba024d74433f4df37b3b (patch) | |
tree | 2aa37fbce870ebf7141e537a2652c9f7a32ff1dc /libFLAC | |
parent | 214b9dfabe821b7653bfe8db424942575fbd6167 (diff) | |
download | android_external_flac-1d948ef7391c9e484658ba024d74433f4df37b3b.tar.gz android_external_flac-1d948ef7391c9e484658ba024d74433f4df37b3b.tar.bz2 android_external_flac-1d948ef7391c9e484658ba024d74433f4df37b3b.zip |
libFLAC/stream_decoder.c : Fail safely to avoid a heap overflow.
A file provided by the reporters caused the stream decoder to write to
un-allocated heap space resulting in a segfault. The solution is to
error out (by returning false from read_residual_partitioned_rice_())
instead of trying to continue to decode.
Fixes: CVE-2014-9028
Reported-by: Michele Spagnuolo,
Google Security Team <mikispag@google.com>
Bug: 23238405
Change-Id: I5c000e3d85d884a92208efebe53aa6edaef8829e
Diffstat (limited to 'libFLAC')
-rw-r--r-- | libFLAC/stream_decoder.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libFLAC/stream_decoder.c b/libFLAC/stream_decoder.c index d13b23b..7edf735 100644 --- a/libFLAC/stream_decoder.c +++ b/libFLAC/stream_decoder.c @@ -2749,7 +2749,8 @@ FLAC__bool read_residual_partitioned_rice_(FLAC__StreamDecoder *decoder, unsigne if(decoder->private_->frame.header.blocksize < predictor_order) { send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; - return true; + /* We have received a potentially malicious bit stream. All we can do is error out to avoid a heap overflow. */ + return false; } } else { |