lutianxiong
lutianxiong
fix #671 ping @raphink
ping @raphink @lutter
> The patch seem to assume that if realloc() return NULL, the original memory is lost, but the manual page for realloc() at least on Linux state that "If realloc()...
similar to this patch, in FLAC__stream_decoder_set_metadata_respond_application(stream_decoder.c, line 752) ``` if(0 == (decoder->private_->metadata_filter_ids = safe_realloc_mul_2op_(decoder->private_->metadata_filter_ids, decoder->private_->metadata_filter_ids_capacity, /*times*/2))) { decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; return false; } ``` in read_metadata_seektable_(stream_decoder.c, line 1654) ``` /*...
the problem is `size1 > SIZE_MAX / size2` in `safe_realloc_mul_2op_ `, if that happens original memory not freed, so maybe free(ptr) should be called before return 0. ``` static inline...
> @ltx2018 please do not post screen captures, my screen resolution makes them unreadably small. Instead copy and paste and learn how to use GH markup. emm..updated
#214 a way to fix
> How can this be triggered? i just run fuzzer_encoder(build by oss-fuzz) locally, here is my crash-corpus [crash-fuzzer_encoder.zip](https://github.com/xiph/flac/files/4715489/crash-fuzzer_encoder.zip)
> How can this be triggered? by the way, ARCHITECTURE is i386