flac: Fix validation checks found by fuzzing. (#438)

This commit adds validation checks to the FLAC decoder to prevent potential
panics or invalid behavior when processing malformed streams.

- Verify frame channel count matches the stream information.
- Ensure dropped bits per sample does not exceed frame bits per sample.
- Validate that the predictor order does not exceed the block size.

Author: baylesj

symphonia-bundle-flac/src/decoder.rs

@@ -358,6 +358,11 @@ fn read_subframe<B: ReadBitsLtr>(bs: &mut B, frame_bps: u32, buf: &mut [i32]) ->
     // bits per sample in the audio sub-block. If the bit is set, unary decode the number of
     // dropped bits per sample.
     let dropped_bps = if bs.read_bool()? { bs.read_unary_zeros()? + 1 } else { 0 };
+    if dropped_bps > frame_bps {
+        return decode_error(
+            "flac: dropped bits per sample is greater than the frame bits per sample",
+        );
+    }
 
     // The bits per sample stated in the frame header is for the decoded audio sub-block samples.
     // However, it is likely that the lower order bits of all the samples are simply 0. Therefore,
@@ -417,6 +422,10 @@ fn decode_fixed_linear<B: ReadBitsLtr>(
     order: u32,
     buf: &mut [i32],
 ) -> Result<()> {
+    if order as usize > buf.len() {
+        return decode_error("flac: fixed predictor order is greater than the block size");
+    }
+
     // The first `order` samples are encoded verbatim to warm-up the LPC decoder.
     decode_verbatim(bs, bps, &mut buf[..order as usize])?;
 
@@ -434,6 +443,10 @@ fn decode_fixed_linear<B: ReadBitsLtr>(
 }
 
 fn decode_linear<B: ReadBitsLtr>(bs: &mut B, bps: u32, order: u32, buf: &mut [i32]) -> Result<()> {
+    if order as usize > buf.len() {
+        return decode_error("flac: predictor order is greater than the block size");
+    }
+
     // The order of the Linear Predictor should be between 1 and 32.
     debug_assert!(order > 0 && order <= 32);