From db7b34c67a6ff9b9a0c79388a321aacc952a1df3 Mon Sep 17 00:00:00 2001
From: Martijn van Beurden <mvanb1@gmail.com>
Date: Tue, 24 Feb 2026 20:47:49 +0100
Subject: [PATCH 1/2] Change check for overflow so sanitizer doesn't trigger

Credit: Oss-fuzz
Issue: https://issues.oss-fuzz.com/issues/482309612
---
 src/flac/foreign_metadata.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
index 993ee6b2ba..20bdd5c674 100644
--- a/src/flac/foreign_metadata.c
+++ b/src/flac/foreign_metadata.c
@@ -211,6 +211,7 @@ static FLAC__bool read_from_wave_(foreign_metadata_t *fm, FILE *f, const char **
 {
 	FLAC__byte buffer[12];
 	FLAC__off_t offset, eof_offset = -1, ds64_data_size = -1;
+	FLAC__uint64 overflow_check;
 	if((offset = ftello(f)) < 0) {
 		if(error) *error = "ftello() error (001)";
 		return false;
@@ -314,12 +315,13 @@ static FLAC__bool read_from_wave_(foreign_metadata_t *fm, FILE *f, const char **
 				if(error) *error = "RF64 file has \"ds64\" chunk with extra size table, which is not currently supported (r06)";
 				return false;
 			}
-			eof_offset = (FLAC__off_t)8 + (FLAC__off_t)unpack64le_(buffer2);
+			overflow_check = 8 + unpack64le_(buffer2);
 			/* @@@ [2^63 limit] */
-			if((FLAC__off_t)unpack64le_(buffer2) < 0 || eof_offset < 0) {
+			if(overflow_check > FLAC__OFF_T_MAX) {
 				if(error) *error = "RF64 file too large (r07)";
 				return false;
 			}
+			eof_offset = (FLAC__off_t)overflow_check;
 		}
 		else { /* skip to next chunk */
 			if(fm->is_rf64 && !memcmp(buffer, "data", 4) && unpack32le_(buffer+4) == 0xffffffff) {

From a28589f5d02bcc56d46c683ebaa7dc10c0d4e967 Mon Sep 17 00:00:00 2001
From: Martijn van Beurden <mvanb1@gmail.com>
Date: Tue, 24 Feb 2026 21:37:38 +0100
Subject: [PATCH 2/2] Set bounds to replaygain synthesis gain

The fuzzer found that with a large enough gain in dB, a gain
variable would become inf, leading to overflows. This commit adds
a check for absurd gain values.
---
 src/flac/decode.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/flac/decode.c b/src/flac/decode.c
index c64d9ad4a2..1e635d8fe5 100644
--- a/src/flac/decode.c
+++ b/src/flac/decode.c
@@ -1797,6 +1797,15 @@ void metadata_callback(const FLAC__StreamDecoder *decoder, const FLAC__StreamMet
 				}
 				decoder_session->replaygain.apply = false;
 			}
+			/* Bounds just to make sure calculations don't overflow */
+			else if(gain > 90 || gain < -90) {
+				flac__utils_printf(stderr, 1, "%s: WARNING: can't apply ReplayGain, found gain value doesn't make sense\n", decoder_session->inbasefilename);
+				if(decoder_session->treat_warnings_as_errors) {
+					decoder_session->abort_flag = true;
+					return;
+				}
+				decoder_session->replaygain.apply = false;
+			}
 			else {
 				const char *ls[] = { "no", "peak", "hard" };
 				const char *ns[] = { "no", "low", "medium", "high" };