Blob Blame Raw
Merged four commits:

commit fcf0ba06ae12ccd7c67cee3c8d948df15f946b85
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date:   Wed Nov 19 19:35:59 2014 -0800

    src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow.
    
    A file provided by the reporters caused the stream decoder to write to
    un-allocated heap space resulting in a segfault. The solution is to
    error out (by returning false from read_residual_partitioned_rice_())
    instead of trying to continue to decode.
    
    Fixes: CVE-2014-9028
    Reported-by: Michele Spagnuolo,
                 Google Security Team <mikispag@google.com>

commit 5a365996d739bdf4711af51d9c2c71c8a5e14660
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date:   Thu Nov 27 11:55:11 2014 +1100

    src/libFLAC/stream_decoder.c : Fail safely to avoid a heap overflow.
    
    This fix is closely related to the fix for CVE-2014-9028. When that
    fix went public Miroslav Lichvar noticed a similar potential problem
    spot in the same function and was able to craft a file to trigger a
    heap write overflow.
    
    Reported-by : Miroslav Lichvar <mlichvar@redhat.com>

commit b4b2910bdca010808ccf2799f55562fa91f4347b
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date:   Wed Dec 10 18:54:16 2014 +1100

    src/libFLAC/stream_decoder.c : Fix seek bug.
    
    Janne Hyvärinen reported a problem with seeking as a result of the
    fix for CVE-2014-9028. This is a different solution to the issue
    that should not adversely affect seeking.
    
    This version of the fix for the above CVE has been extensively fuzz
    tested using afl (http://lcamtuf.coredump.cx/afl/).
    
    Reported-by: Janne Hyvärinen <cse@sci.fi>

commit fed0dfa1086296df0af41ca8f0c6430d5ac75c87
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date:   Mon Dec 15 15:46:12 2014 +0100

    src/libFLAC/stream_decoder.c : Rework fix for seeking bug.
    
    To avoid crash caused by an unbound LPC decoding when predictor order is
    larger than blocksize, the sanity check needs to be moved to the subframe
    decoding functions.
    
    Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>

diff -up flac-1.3.0/src/libFLAC/stream_decoder.c.cve-2014-9028 flac-1.3.0/src/libFLAC/stream_decoder.c
--- flac-1.3.0/src/libFLAC/stream_decoder.c.cve-2014-9028	2015-03-27 16:59:10.898884915 +0100
+++ flac-1.3.0/src/libFLAC/stream_decoder.c	2015-03-27 17:00:34.879125031 +0100
@@ -2550,6 +2550,11 @@ FLAC__bool read_subframe_fixed_(FLAC__St
 		case FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2:
 			if(!FLAC__bitreader_read_raw_uint32(decoder->private_->input, &u32, FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ORDER_LEN))
 				return false; /* read_callback_ sets the state for us */
+			if(decoder->private_->frame.header.blocksize >> u32 < order) {
+				send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
+				decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
+				return true;
+			}
 			subframe->entropy_coding_method.data.partitioned_rice.order = u32;
 			subframe->entropy_coding_method.data.partitioned_rice.contents = &decoder->private_->partitioned_rice_contents[channel];
 			break;
@@ -2629,6 +2634,11 @@ FLAC__bool read_subframe_lpc_(FLAC__Stre
 		case FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2:
 			if(!FLAC__bitreader_read_raw_uint32(decoder->private_->input, &u32, FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ORDER_LEN))
 				return false; /* read_callback_ sets the state for us */
+			if(decoder->private_->frame.header.blocksize >> u32 < order) {
+				send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
+				decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
+				return true;
+			}
 			subframe->entropy_coding_method.data.partitioned_rice.order = u32;
 			subframe->entropy_coding_method.data.partitioned_rice.contents = &decoder->private_->partitioned_rice_contents[channel];
 			break;
@@ -2704,21 +2714,8 @@ FLAC__bool read_residual_partitioned_ric
 	const unsigned plen = is_extended? FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_PARAMETER_LEN : FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_PARAMETER_LEN;
 	const unsigned pesc = is_extended? FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_ESCAPE_PARAMETER : FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ESCAPE_PARAMETER;
 
-	/* sanity checks */
-	if(partition_order == 0) {
-		if(decoder->private_->frame.header.blocksize < predictor_order) {
-			send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
-			decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
-			return true;
-		}
-	}
-	else {
-		if(partition_samples < predictor_order) {
-			send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
-			decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
-			return true;
-		}
-	}
+	/* invalid predictor and partition orders mush be handled in the callers */
+	FLAC__ASSERT(partition_order > 0? partition_samples >= predictor_order : decoder->private_->frame.header.blocksize >= predictor_order);
 
 	if(!FLAC__format_entropy_coding_method_partitioned_rice_contents_ensure_size(partitioned_rice_contents, flac_max(6u, partition_order))) {
 		decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR;