Merge pull request #485 from TsudaKageyu/oga-segfault

Fix a segfault when reading faulty Ogg/FLAC files.
2025-06-04 01:28:21 -04:00 · 2015-01-01 19:48:23 +01:00 · 2015-01-01 19:48:23 +01:00 · 31982660c8
commit 31982660c8
parent bd7b8cc36a bc9bbfe3fa
3 changed files with 25 additions and 16 deletions
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@ -103,7 +103,7 @@ PropertyMap Ogg::FLAC::File::properties() const
 PropertyMap Ogg::FLAC::File::setProperties(const PropertyMap &properties)
 {
  return d->comment->setProperties(properties);
-}  
+}

 Properties *Ogg::FLAC::File::audioProperties() const
 {
@ -211,29 +211,30 @@ void Ogg::FLAC::File::scan()
  long overhead = 0;

  ByteVector metadataHeader = packet(ipacket);
-  if(metadataHeader.isNull())
+  if(metadataHeader.isEmpty())
    return;

-  ByteVector header;
-
-  if (!metadataHeader.startsWith("fLaC"))  {
+  if(!metadataHeader.startsWith("fLaC"))  {
    // FLAC 1.1.2+
-    if (metadataHeader.mid(1,4) != "FLAC") return;
+    if(metadataHeader.mid(1, 4) != "FLAC")
+      return;

-    if (metadataHeader[5] != 1) return; // not version 1
+    if(metadataHeader[5] != 1)
+      return; // not version 1

    metadataHeader = metadataHeader.mid(13);
  }
  else {
    // FLAC 1.1.0 & 1.1.1
    metadataHeader = packet(++ipacket);
-
-    if(metadataHeader.isNull())
-      return;
-
  }

-  header = metadataHeader.mid(0,4);
+  ByteVector header = metadataHeader.mid(0, 4);
+  if(header.size() != 4) {
+    debug("Ogg::FLAC::File::scan() -- Invalid Ogg/FLAC metadata header");
+    return;
+  }
+
  // Header format (from spec):
  // <1> Last-metadata-block flag
  // <7> BLOCK_TYPE
@ -262,11 +263,12 @@ void Ogg::FLAC::File::scan()

  while(!lastBlock) {
    metadataHeader = packet(++ipacket);
-
-    if(metadataHeader.isNull())
-      return;
-
    header = metadataHeader.mid(0, 4);
+    if(header.size() != 4) {
+      debug("Ogg::FLAC::File::scan() -- Invalid Ogg/FLAC metadata header");
+      return;
+    }
+
    blockType = header[0] & 0x7f;
    lastBlock = (header[0] & 0x80) != 0;
    length = header.toUInt(1, 3, true);
--- a/tests/data/segfault.oga
+++ b/tests/data/segfault.oga
--- a/tests/test_oggflac.cpp
+++ b/tests/test_oggflac.cpp
@ -15,6 +15,7 @@ class TestOggFLAC : public CppUnit::TestFixture
 {
  CPPUNIT_TEST_SUITE(TestOggFLAC);
  CPPUNIT_TEST(testFramingBit);
+  CPPUNIT_TEST(testFuzzedFile);
  CPPUNIT_TEST_SUITE_END();

 public:
@ -39,6 +40,12 @@ public:
    delete f;
  }

+  void testFuzzedFile()
+  {
+    Ogg::FLAC::File f(TEST_FILE_PATH_C("segfault.oga"));
+    CPPUNIT_ASSERT(!f.isValid());
+  }
+
 };

 CPPUNIT_TEST_SUITE_REGISTRATION(TestOggFLAC);