From 65664e685553579493c91b38b93bf0f981c27688 Mon Sep 17 00:00:00 2001 From: Tsuda Kageyu Date: Thu, 8 Jan 2015 12:28:20 +0900 Subject: [PATCH] Check for EOF to fix an infinite loop while parsing fuzzed MPC files. --- taglib/mpc/mpcproperties.cpp | 8 ++++++-- tests/data/infloop.mpc | Bin 0 -> 434 bytes tests/test_mpc.cpp | 7 +++++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 tests/data/infloop.mpc diff --git a/taglib/mpc/mpcproperties.cpp b/taglib/mpc/mpcproperties.cpp index f11f8ecf..a162b8ee 100644 --- a/taglib/mpc/mpcproperties.cpp +++ b/taglib/mpc/mpcproperties.cpp @@ -197,10 +197,15 @@ void MPC::Properties::readSV8(File *file) unsigned long packetSize = readSize(file, packetSizeLength); unsigned long dataSize = packetSize - 2 - packetSizeLength; + const ByteVector data = file->readBlock(dataSize); + if(data.size() != dataSize) { + debug("MPC::Properties::readSV8() - dataSize doesn't match the actual data size."); + break; + } + if(packetType == "SH") { // Stream Header // http://trac.musepack.net/wiki/SV8Specification#StreamHeaderPacket - ByteVector data = file->readBlock(dataSize); readSH = true; TagLib::uint pos = 4; @@ -225,7 +230,6 @@ void MPC::Properties::readSV8(File *file) else if (packetType == "RG") { // Replay Gain // http://trac.musepack.net/wiki/SV8Specification#ReplaygainPacket - ByteVector data = file->readBlock(dataSize); readRG = true; int replayGainVersion = data[0]; diff --git a/tests/data/infloop.mpc b/tests/data/infloop.mpc new file mode 100644 index 0000000000000000000000000000000000000000..46861ab378cc3060fb759333490bb4d2852ccd36 GIT binary patch literal 434 zcmeYbaP|&9fgfCgN*5#-zhGv70Qc0qqErT_#GIVO6fuxcNKs;OHUooWQFdl=395O- z=_{dukwB*~WR(_|D5T{VDU_rZm#|@Rz9v*GB(o$Zl_3|+wT3KE>B!W?A_gM^0|UnZ j*APc{*N6)Z