Report format error when order > frame length

A file where this happens is invalid. Instead of causing an index out of bounds, this should report an error. Fortunately this is Rust, which panics on out of bounds indexing, instead of C which would have had an out of bounds read. Found using libfuzzer and cargo-fuzz.
ruuda · Feb 23, 2017 · 21b1db4 · 21b1db4
1 parent 483eda3
commit 21b1db4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/src/subframe.rs b/src/subframe.rs
@@ -583,6 +583,13 @@ fn decode_lpc<R: ReadBytes>(input: &mut Bitstream<R>,
     // The order minus one fits in 5 bits, so the order is at most 32.
     debug_assert!(order <= 32);
 
+    // On the frame decoding level it is ensured that the buffer is large
+    // enough. If it can't even fit the warm-up samples, then there is a frame
+    // smaller than its lpc order, which is invalid.
+    if buffer.len() < order as usize {
+        return fmt_err("invalid subframe, buffer is too small for given lpc order")
+    }
+
     // There are order * bits per sample unencoded warm-up sample bits.
     try!(decode_verbatim(input, bps, &mut buffer[..order as usize]));
 

diff --git a/testsamples/fuzz/5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac b/testsamples/fuzz/5b004788ba05db06d0f6cc8a7a43e334c9d31c44.flac