Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

xiph/flac
master @ b430c3a
76
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Memory Corruption: 31 prior fixes. Scrutinize any change in this area.
src/libFLAC/stream_decoder.c: most-fixed (34 issues). Treat as high-risk during review.
42 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Memory Corruption: The stream decoder is the largest attack surface, frequently suffering from heap buffer overflows, out-of-bounds writes, and uninitialized memory access during frame and subframe parsing. Invalid block sizes, predictor orders, or channel counts often bypass allocation boundaries if not validated early.
Integer Overflow: Arithmetic operations on parsed metadata values (such as minutes and sample rates) frequently overflow, resulting in downstream buffer under-allocations or out-of-bounds indexing during metadata decoding.
Double Free: Memory reallocation routines in libFLAC historically freed the original pointer upon allocation failure, leading to double-free vulnerabilities when the calling context also attempted to clean up the same pointer.