[flac-dev] Two new CVEs against FLAC

[lvqcl]

Martijn van Beurden wrote:

> For example, it could be checked whether the sample
> rate, blocksize, number of channels and sample size in the frame
> header match with those in the stream info, and whether the
> sample or framenumber is in a sane range. This gives less
> security than fully decoding the frame, but it ensures the seek
> process will no longer fail because of these CVE sanity checks.


IIRC flake encoder is able to create FLAC files with variable blocksizes.
So it's better to assume that blocksize is not constant.