From 8bc56c7fb0782073f65880a789e3999a8b27a6a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Mon, 26 Jun 2023 15:40:05 +0200 Subject: [PATCH] LibAudio: Prevent FLAC Rice partitions getting smaller than 1 sample This would cause an integer underflow leading to us trying to allocate over 4GB for residual samples. --- Userland/Libraries/LibAudio/FlacLoader.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibAudio/FlacLoader.cpp b/Userland/Libraries/LibAudio/FlacLoader.cpp index a70e17edd1..c935310adc 100644 --- a/Userland/Libraries/LibAudio/FlacLoader.cpp +++ b/Userland/Libraries/LibAudio/FlacLoader.cpp @@ -875,6 +875,9 @@ MaybeLoaderError FlacLoaderPlugin::decode_residual(Vector& decoded, FlacSub u8 partition_order = LOADER_TRY(bit_input.read_bits(4)); size_t partitions = 1 << partition_order; + if (partitions > m_current_frame->sample_count) + return LoaderError { LoaderError::Category::Format, static_cast(m_current_sample_or_frame), "Too many Rice partitions, each partition must contain at least one sample" }; + if (residual_mode == FlacResidualMode::Rice4Bit) { // 11.30.2. RESIDUAL_CODING_METHOD_PARTITIONED_EXP_GOLOMB // decode a single Rice partition with four bits for the order k @@ -907,8 +910,11 @@ ALWAYS_INLINE ErrorOr, LoaderError> FlacLoaderPlugin::decode_rice_pa residual_sample_count = m_current_frame->sample_count - subframe.order; else residual_sample_count = m_current_frame->sample_count / partitions; - if (partition_index == 0) + if (partition_index == 0) { + if (subframe.order > residual_sample_count) + return LoaderError { LoaderError::Category::Format, static_cast(m_current_sample_or_frame), "First Rice partition must advertise more residuals than LPC order" }; residual_sample_count -= subframe.order; + } Vector rice_partition; rice_partition.resize(residual_sample_count);