Treat cuesheets with 0 tracks as invalid

Credit: Oss-Fuzz
Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57904

3 files changed, 7 insertions, 1 deletions

diff --git a/src/libFLAC/metadata_iterators.c b/src/libFLAC/metadata_iterators.c
index d0e4a520..16fa2f1d 100644
--- a/src/libFLAC/metadata_iterators.c
+++ b/src/libFLAC/metadata_iterators.c
@@ -2518,7 +2518,7 @@ FLAC__Metadata_SimpleIteratorStatus read_metadata_block_data_cuesheet_cb_(FLAC__
 	block->num_tracks = unpack_uint32_(buffer, len);
 
 	if(block->num_tracks == 0) {
-		block->tracks = 0;
+		return FLAC__METADATA_SIMPLE_ITERATOR_STATUS_BAD_METADATA;
 	}
 	else if(0 == (block->tracks = calloc(block->num_tracks, sizeof(FLAC__StreamMetadata_CueSheet_Track))))
 		return FLAC__METADATA_SIMPLE_ITERATOR_STATUS_MEMORY_ALLOCATION_ERROR;
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
index 6a5b4387..8ce6d605 100644
--- a/src/libFLAC/stream_decoder.c
+++ b/src/libFLAC/stream_decoder.c
@@ -1871,6 +1871,10 @@ FLAC__bool read_metadata_cuesheet_(FLAC__StreamDecoder *decoder, FLAC__StreamMet
 			}
 		}
 	}
+	else { /* obj->num_tracks == 0 */
+		FLAC__bitreader_limit_invalidate(decoder->private_->input);
+		return false;
+	}
 
 	return true;
 }
diff --git a/src/share/grabbag/cuesheet.c b/src/share/grabbag/cuesheet.c
index 1e1a132b..ab8070b1 100644
--- a/src/share/grabbag/cuesheet.c
+++ b/src/share/grabbag/cuesheet.c
@@ -626,6 +626,8 @@ void grabbag__cuesheet_emit(FILE *file, const FLAC__StreamMetadata *cuesheet, co
 		fprintf(file, "CATALOG %s\n", cs->media_catalog_number);
 	fprintf(file, "FILE %s\n", file_reference);
 
+	FLAC__ASSERT(cs->num_tracks > 0);
+
 	for(track_num = 0; track_num < cs->num_tracks-1; track_num++) {
 		const FLAC__StreamMetadata_CueSheet_Track *track = cs->tracks + track_num;