ref: 910808792f8c419c6cf9b3ba282522c8b72cd5fd
parent: 12777635f708844f61b9ef3fb455fdaa510669c3
author: lieff <[email protected]>
date: Sun Feb 11 11:22:44 EST 2018
fix input out-of-bounds read found by afl
--- a/minimp3.h
+++ b/minimp3.h
@@ -246,7 +246,12 @@
{
uint32_t next, cache = 0, s = bs->pos & 7;
int shl = n + s;
- const uint8_t * p = bs->buf + (bs->pos >> 3);
+ const uint8_t *p = bs->buf + (bs->pos >> 3);
+ if (bs->pos + n > bs->limit)
+ {
+ bs->pos = bs->limit;
+ return 0;
+ }
next = *p++ & (255 >> s);
while ((shl -= 8) > 0)
{
--- a/minimp3_test.c
+++ b/minimp3_test.c
@@ -58,7 +58,7 @@
mp3dec_init(&mp3d);
#ifndef MINIMP3_NO_WAV
- if (wave_out)
+ if (wave_out && file_out)
fwrite(wav_header(0, 0, 0, 0), 1, 44, file_out);
#endif
do
@@ -99,7 +99,7 @@
exit(1);
}
#ifndef MINIMP3_NO_WAV
- if (wave_out)
+ if (wave_out && file_out)
{
data_bytes = ftell(file_out) - 44;
rewind(file_out);
binary files a/vectors/l2-nonstandard-test32-size.pcm b/vectors/l2-nonstandard-test32-size.pcm differ