diff options
| author | Martijn van Beurden <mvanb1@gmail.com> | 2022-08-19 21:33:15 +0200 |
|---|---|---|
| committer | Martijn van Beurden <mvanb1@gmail.com> | 2022-08-20 16:03:53 +0200 |
| commit | 5bc582b2c72a5fe401511ee492d1410f4f23ec7e (patch) | |
| tree | 73302809d4c9a4eebe90e7d059ec2dfc1fe76cb1 | |
| parent | 1f21ae2702dd5073cc068a37a99313f752ff9cf8 (diff) | |
| download | flac-5bc582b2c72a5fe401511ee492d1410f4f23ec7e.tar.gz | |
Fix some OOM metadata bugs, disable OOM checking in metadata fuzzing
For now OOM emulation in fuzzer_metadata is disabled, as I really
want to get as much merged as soon as possible. Need to get back
to this at some point
| -rw-r--r-- | oss-fuzz/fuzzer_metadata.cc | 29 | ||||
| -rw-r--r-- | oss-fuzz/fuzzer_seek.cc | 14 | ||||
| -rw-r--r-- | src/libFLAC/metadata_object.c | 8 | ||||
| -rw-r--r-- | src/libFLAC/stream_decoder.c | 2 |
4 files changed, 36 insertions, 17 deletions
diff --git a/oss-fuzz/fuzzer_metadata.cc b/oss-fuzz/fuzzer_metadata.cc index 7d3cb5ea..66f3d4cf 100644 --- a/oss-fuzz/fuzzer_metadata.cc +++ b/oss-fuzz/fuzzer_metadata.cc @@ -61,7 +61,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) command_length = data[0] >> 4; - if(data[1] < 128) /* Use MSB as on/off */ + if(0)//data[1] < 128) /* Use MSB as on/off */ alloc_check_threshold = data[1]; else alloc_check_threshold = INT32_MAX; @@ -218,22 +218,37 @@ static void run_tests_with_level_2_interface(char filename[], bool ogg, bool use case 5: if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) { metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer); - if(!iterator.insert_block_before(metadata_block_put)) - delete metadata_block_put; + if(metadata_block_put != 0 && metadata_block_put->is_valid()) { + if(!iterator.insert_block_before(metadata_block_put)) + delete metadata_block_put; + } + else + if(metadata_block_put != 0) + delete metadata_block_put; } break; case 6: if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) { metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer); - if(!iterator.insert_block_after(metadata_block_put)) - delete metadata_block_put; + if(metadata_block_put != 0 && metadata_block_put->is_valid()) { + if(!iterator.insert_block_after(metadata_block_put)) + delete metadata_block_put; + } + else + if(metadata_block_put != 0) + delete metadata_block_put; } break; case 7: if(metadata_block_transfer != 0 && metadata_block_transfer->is_valid()) { metadata_block_put = FLAC::Metadata::clone(metadata_block_transfer); - if(!iterator.set_block(metadata_block_put)) - delete metadata_block_put; + if(metadata_block_put != 0 && metadata_block_put->is_valid()) { + if(!iterator.set_block(metadata_block_put)) + delete metadata_block_put; + } + else + if(metadata_block_put != 0) + delete metadata_block_put; } break; case 8: /* Examine block */ diff --git a/oss-fuzz/fuzzer_seek.cc b/oss-fuzz/fuzzer_seek.cc index ed89b233..a926f68f 100644 --- a/oss-fuzz/fuzzer_seek.cc +++ b/oss-fuzz/fuzzer_seek.cc @@ -47,11 +47,11 @@ int write_abort_check_counter = -1; static FLAC__StreamDecoderWriteStatus write_callback(const FLAC__StreamDecoder *decoder, const FLAC__Frame *frame, const FLAC__int32 *const buffer[], void *client_data) { (void)decoder, (void)frame, (void)buffer, (void)client_data; - if(write_abort_check_counter > 0) + if(write_abort_check_counter > 0) { write_abort_check_counter--; if(write_abort_check_counter == 0) return FLAC__STREAM_DECODER_WRITE_STATUS_ABORT; - else if(write_abort_check_counter == 0) + } else if(write_abort_check_counter == 0) /* This must not happen: write callback called after abort is returned */ abort(); return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE; @@ -70,11 +70,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) uint8_t command_length; FLAC__bool init_bools[16], ogg; - if(size > 2 && data[1] < 128) /* Use MSB as on/off */ - alloc_check_threshold = data[1]; - else - alloc_check_threshold = INT32_MAX; - alloc_check_counter = 0; + if(size > 2 && data[1] < 128) /* Use MSB as on/off */ + alloc_check_threshold = data[1]; + else + alloc_check_threshold = INT32_MAX; + alloc_check_counter = 0; write_abort_check_counter = -1; diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c index d6ac3fc5..c1e54ab2 100644 --- a/src/libFLAC/metadata_object.c +++ b/src/libFLAC/metadata_object.c @@ -1183,8 +1183,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St return false; for (uint32_t i = 0; i < new_num_comments; i++) { object->data.vorbis_comment.comments[i].length = 0; - if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) + if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) { + object->data.vorbis_comment.num_comments = i+1; return false; + } object->data.vorbis_comment.comments[i].entry[0] = '\0'; } } @@ -1223,8 +1225,10 @@ FLAC_API FLAC__bool FLAC__metadata_object_vorbiscomment_resize_comments(FLAC__St if (new_size > old_size) { for (uint32_t i = object->data.vorbis_comment.num_comments; i < new_num_comments; i++) { object->data.vorbis_comment.comments[i].length = 0; - if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) + if ((object->data.vorbis_comment.comments[i].entry = safe_malloc_(1)) == NULL) { + object->data.vorbis_comment.num_comments = i+1; return false; + } object->data.vorbis_comment.comments[i].entry[0] = '\0'; } } diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c index 23a0c890..c8e3f325 100644 --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -1525,7 +1525,7 @@ FLAC__bool read_metadata_(FLAC__StreamDecoder *decoder) free(block.data.vorbis_comment.comments); break; case FLAC__METADATA_TYPE_CUESHEET: - if(block.data.cue_sheet.num_tracks > 0) + if(block.data.cue_sheet.num_tracks > 0 && 0 != block.data.cue_sheet.tracks) for(i = 0; i < block.data.cue_sheet.num_tracks; i++) if(0 != block.data.cue_sheet.tracks[i].indices) free(block.data.cue_sheet.tracks[i].indices); |