[flac-dev] Two new CVEs against FLAC

[Miroslav Lichvar]

On Thu, Dec 11, 2014 at 04:50:24PM +0100, Martijn van Beurden wrote:
> 2014-12-11 14:34 GMT+01:00 Miroslav Lichvar <mlichvar at redhat.com>:
> > So the problem is that FLAC__stream_decoder_process_single returns
> > error before it finds a valid frame?
> >
> 
> I'm not sure whether we mean the same thing, but I think the problem is
> that seek_to_absolute_sample_ calls FLAC__stream_decoder_process_single,
> which calls read_frame_, which calls read_subframe_, which calls either
> read_subframe_fixed_ or read_subframe_lpc_, which call
> read_residual_partitioned_rice_. The return false set there is propagated
> all the way down.

After few hours of a script seeking randomly in my FLAC library, I
have now a reproducer for the problem. It seems to be as you say, the
false value propagates through all layers and the seeking process
stops. So we need to return true as a non-fatal error, but stop any
further decoding on the invalid frame. I think the best fix would be
to move the check for invalid predictor or partition order one layer
up to the subframe decoding functions.

I'll send a patch for review shortly.

-- 
Miroslav Lichvar