From 2e9e0dfe61fa5cff7c62de9c02d2e3e330c34f34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Tue, 27 Jun 2023 20:25:57 +0200 Subject: [PATCH] LibAudio: Check that LPC order is smaller than subframe sample count An LPC predictor (fixed or not) contains as many warm-up samples as its order. Therefore, the corresponding subframe must have at least this many samples. This turns this fuzzer-found crash into a handleable format error. --- Userland/Libraries/LibAudio/FlacLoader.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Userland/Libraries/LibAudio/FlacLoader.cpp b/Userland/Libraries/LibAudio/FlacLoader.cpp index 1ab709791e..bbc6378088 100644 --- a/Userland/Libraries/LibAudio/FlacLoader.cpp +++ b/Userland/Libraries/LibAudio/FlacLoader.cpp @@ -724,6 +724,10 @@ ErrorOr, LoaderError> FlacLoaderPlugin::decode_verbatim(FlacSubframe // Decode a subframe encoded with a custom linear predictor coding, i.e. the subframe provides the polynomial order and coefficients ErrorOr, LoaderError> FlacLoaderPlugin::decode_custom_lpc(FlacSubframeHeader& subframe, BigEndianInputBitStream& bit_input) { + // LPC must provide at least as many samples as its order. + if (subframe.order > m_current_frame->sample_count) + return LoaderError { LoaderError::Category::Format, static_cast(m_current_sample_or_frame), "Too small frame for LPC order" }; + Vector decoded; decoded.ensure_capacity(m_current_frame->sample_count); @@ -779,6 +783,10 @@ ErrorOr, LoaderError> FlacLoaderPlugin::decode_custom_lpc(FlacSubfra // Decode a subframe encoded with one of the fixed linear predictor codings ErrorOr, LoaderError> FlacLoaderPlugin::decode_fixed_lpc(FlacSubframeHeader& subframe, BigEndianInputBitStream& bit_input) { + // LPC must provide at least as many samples as its order. + if (subframe.order > m_current_frame->sample_count) + return LoaderError { LoaderError::Category::Format, static_cast(m_current_sample_or_frame), "Too small frame for LPC order" }; + Vector decoded; decoded.ensure_capacity(m_current_frame->sample_count);