search for: safe_malloc_add_2op_

..._endian(decoder->private_->input, &obj->vendor_string.length)) return false; /* read_callback_ sets the state for us */ + length -= 8; if(obj->vendor_string.length > 0) { + if (length < obj->vendor_string.length) return false; if(0 == (obj->vendor_string.entry = safe_malloc_add_2op_(obj->vendor_string.length, /*+*/1))) { decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; return false; @@ -1705,6 +1708,7 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre if(!FLAC__bitreader_read_byte_block_aligned_no_c...

...ets the state for us */ if(obj->vendor_string.length > 0) { + if(length < obj->vendor_string.length) { + obj->vendor_string.length = 0; + obj->vendor_string.entry = 0; + goto skip; + } else length -= obj->vendor_string.length; if(0 == (obj->vendor_string.entry = safe_malloc_add_2op_(obj->vendor_string.length, /*+*/1))) { decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; return false; @@ -1722,9 +1728,19 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre } for(i = 0; i < obj->num_comments; i+...

...it.xiph.org/?p=flac.git;a=blob;f=src/libFLAC/stream_decoder.c;h=e0f1b14d30dd548268a88e4341af3f38290816e3;hb=HEAD#l1763 https://git.xiph.org/?p=flac.git;a=blob;f=src/libFLAC/stream_decoder.c;h=e0f1b14d30dd548268a88e4341af3f38290816e3;hb=HEAD#l1774 Would it be appropriate to do the same thing should safe_malloc_add_2op_ fail? Attached patch to illustrate what I mean. -------------- next part -------------- A non-text attachment was scrubbed... Name: num_comments.patch Type: application/octet-stream Size: 625 bytes Desc: not available Url : http://lists.xiph.org/pipermail/flac-dev/attachments/20160314/f3f8d848/att...