shithub: mp3dec

Download patch

ref: 910808792f8c419c6cf9b3ba282522c8b72cd5fd
parent: 12777635f708844f61b9ef3fb455fdaa510669c3
author: lieff <[email protected]>
date: Sun Feb 11 11:22:44 EST 2018

fix input out-of-bounds read found by afl

--- a/minimp3.h
+++ b/minimp3.h
@@ -246,7 +246,12 @@
 {
     uint32_t next, cache = 0, s = bs->pos & 7;
     int shl = n + s;
-    const uint8_t * p = bs->buf + (bs->pos >> 3);
+    const uint8_t *p = bs->buf + (bs->pos >> 3);
+    if (bs->pos + n > bs->limit)
+    {
+        bs->pos = bs->limit;
+        return 0;
+    }
     next = *p++ & (255 >> s);
     while ((shl -= 8) > 0)
     {
--- a/minimp3_test.c
+++ b/minimp3_test.c
@@ -58,7 +58,7 @@
 
     mp3dec_init(&mp3d);
 #ifndef MINIMP3_NO_WAV
-    if (wave_out)
+    if (wave_out && file_out)
         fwrite(wav_header(0, 0, 0, 0), 1, 44, file_out);
 #endif
     do
@@ -99,7 +99,7 @@
         exit(1);
     }
 #ifndef MINIMP3_NO_WAV
-    if (wave_out)
+    if (wave_out && file_out)
     {
         data_bytes = ftell(file_out) - 44;
         rewind(file_out);
binary files a/vectors/l2-nonstandard-test32-size.pcm b/vectors/l2-nonstandard-test32-size.pcm differ