From 2a04c1a27d632d07a5aae0a1c2d0ee3847c8be3d Mon Sep 17 00:00:00 2001
From: Devon Kirk <hyder365@users.noreply.github.com>
Date: Thu, 18 Jun 2026 20:00:45 -0400
Subject: [PATCH] Guard against uint32 overflow in byte-block skip/read limit
 checks

FLAC__bitreader_skip_byte_block_aligned_no_crc and
FLAC__bitreader_read_byte_block_aligned_no_crc both compute
nvals*8 without overflow protection.  Values large enough to
overflow are unreachable through current callers (metadata block
length is at most 24 bits), but the overflow would silently disable
the limit enforcement.  Pre-check the multiplication against
UINT32_MAX/8 before computing nvals*8.
---
 src/libFLAC/bitreader.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c
index 3ebe37c86b..b0b454b267 100644
--- a/src/libFLAC/bitreader.c
+++ b/src/libFLAC/bitreader.c
@@ -621,7 +621,8 @@ FLAC__bool FLAC__bitreader_skip_byte_block_aligned_no_crc(FLAC__BitReader *br, u
 	FLAC__ASSERT(FLAC__bitreader_is_consumed_byte_aligned(br));
 
 	if(br->read_limit_set && br->read_limit < (uint32_t)-1){
-		if(br->read_limit < nvals*8){
+		if(nvals > UINT32_MAX / 8 ||
+		   br->read_limit < nvals*8){
 			br->read_limit = -1;
 			return false;
 		}
@@ -666,7 +667,8 @@ FLAC__bool FLAC__bitreader_read_byte_block_aligned_no_crc(FLAC__BitReader *br, F
 	FLAC__ASSERT(FLAC__bitreader_is_consumed_byte_aligned(br));
 
 	if(br->read_limit_set && br->read_limit < (uint32_t)-1){
-		if(br->read_limit < nvals*8){
+		if(nvals > UINT32_MAX / 8 ||
+		   br->read_limit < nvals*8){
 			br->read_limit = -1;
 			return false;
 		}