Check for EOF to fix an infinite loop while parsing fuzzed MPC files.

2025-06-04 01:28:21 -04:00 · 2015-01-08 12:28:20 +09:00 · 2015-01-08 12:28:20 +09:00 · 65664e6855
commit 65664e6855
parent 2193d6dd84
3 changed files with 13 additions and 2 deletions
--- a/taglib/mpc/mpcproperties.cpp
+++ b/taglib/mpc/mpcproperties.cpp
@ -197,10 +197,15 @@ void MPC::Properties::readSV8(File *file)
    unsigned long packetSize = readSize(file, packetSizeLength);
    unsigned long dataSize = packetSize - 2 - packetSizeLength;

+    const ByteVector data = file->readBlock(dataSize);
+    if(data.size() != dataSize) {
+      debug("MPC::Properties::readSV8() - dataSize doesn't match the actual data size.");
+      break;
+    }
+
    if(packetType == "SH") {
      // Stream Header
      // http://trac.musepack.net/wiki/SV8Specification#StreamHeaderPacket
-      ByteVector data = file->readBlock(dataSize);
      readSH = true;

      TagLib::uint pos = 4;
@ -225,7 +230,6 @@ void MPC::Properties::readSV8(File *file)
    else if (packetType == "RG") {
      // Replay Gain
      // http://trac.musepack.net/wiki/SV8Specification#ReplaygainPacket
-      ByteVector data = file->readBlock(dataSize);
      readRG = true;

      int replayGainVersion = data[0];
--- a/tests/data/infloop.mpc
+++ b/tests/data/infloop.mpc
--- a/tests/test_mpc.cpp
+++ b/tests/test_mpc.cpp
@ -18,6 +18,7 @@ class TestMPC : public CppUnit::TestFixture
  CPPUNIT_TEST(testPropertiesSV5);
  CPPUNIT_TEST(testPropertiesSV4);
  CPPUNIT_TEST(testFuzzedFile1);
+  CPPUNIT_TEST(testFuzzedFile2);
  CPPUNIT_TEST_SUITE_END();

 public:
@ -68,6 +69,12 @@ public:
    CPPUNIT_ASSERT(f.isValid());
  }

+  void testFuzzedFile2()
+  {
+    MPC::File f(TEST_FILE_PATH_C("infloop.mpc"));
+    CPPUNIT_ASSERT(f.isValid());
+  }
+
 };

 CPPUNIT_TEST_SUITE_REGISTRATION(TestMPC);