[flac-dev] Two new CVEs against FLAC

Erik de Castro Lopo mle+la at mega-nerd.com
Tue Nov 25 11:40:37 PST 2014


Miroslav Lichvar wrote:

> I'm trying to figure out how this one works. It seems the problem is
> integer underflow in the "frame.header.blocksize-order" expression
> used in read_subframe_fixed_() and read_subframe_lpc_() to get the
> number of encoded samples, which causes a buffer overflow in the
> LPC/fixed subframe decoding.
> 
> The fix prevents that by returning false from
> read_residual_partitioned_rice_() to stop further decoding of
> the subframe when the partition order is 0 and blocksize is smaller
> than the predictor order.
> 
> Is that correct?

Yes.
 
> I think the case with non-zero partition order may need to be fixed
> too. For example, with partition order of 1, predictor order of 16 and
> blocksize of 4, the function would return true and blocksize-order in
> the caller would still underflow.
> 
> --- a/src/libFLAC/stream_decoder.c
> +++ b/src/libFLAC/stream_decoder.c
> @@ -2744,7 +2744,7 @@ FLAC__bool read_residual_partitioned_rice_(FLAC__StreamDecoder *decoder, unsigne
>                 if(partition_samples < predictor_order) {
>                         send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
>                         decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
> -                       return true;
> +                       return false;
>                 }
>         }
> 
> Thoughts?

That may well be true. Is it possible to generate file that actually
triggers this?

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/


More information about the flac-dev mailing list