From 4a9614bfc376a31f4995db9c294df8466f843eb6 Mon Sep 17 00:00:00 2001
From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
Date: Tue, 23 Dec 2014 20:54:20 +0900
Subject: [PATCH 1/3] Fix a division by zero error when parsing an APE file.

---
 taglib/ape/apeproperties.cpp | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/taglib/ape/apeproperties.cpp b/taglib/ape/apeproperties.cpp
index 4940edea..cf829fe5 100644
--- a/taglib/ape/apeproperties.cpp
+++ b/taglib/ape/apeproperties.cpp
@@ -221,12 +221,20 @@ void APE::Properties::analyzeOld()
     blocksPerFrame = 73728;
   else
     blocksPerFrame = 9216;
+
   d->channels   = header.toShort(4, false);
   d->sampleRate = header.toUInt(6, false);
+
   const uint finalFrameBlocks = header.toUInt(22, false);
-  const uint totalBlocks 
-    = totalFrames > 0 ? (totalFrames - 1) * blocksPerFrame + finalFrameBlocks : 0;
-  d->length = totalBlocks / d->sampleRate;
-  d->bitrate = d->length > 0 ? ((d->streamLength * 8L) / d->length) / 1000 : 0;
+
+  uint totalBlocks = 0;
+  if(totalFrames > 0)
+    totalBlocks = (totalFrames - 1) * blocksPerFrame + finalFrameBlocks;
+
+  if(d->sampleRate > 0)
+    d->length = totalBlocks / d->sampleRate;
+
+  if(d->length > 0)
+    d->bitrate = ((d->streamLength * 8L) / d->length) / 1000;
 }
 

From 61543432c0d9f31ff65d8c6793bd8208cc64440f Mon Sep 17 00:00:00 2001
From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
Date: Tue, 23 Dec 2014 20:58:36 +0900
Subject: [PATCH 2/3] Fix an excessive loop when parsing an APE file.

---
 taglib/ape/apetag.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/taglib/ape/apetag.cpp b/taglib/ape/apetag.cpp
index e1252193..22471d40 100644
--- a/taglib/ape/apetag.cpp
+++ b/taglib/ape/apetag.cpp
@@ -368,10 +368,13 @@ ByteVector APE::Tag::render() const
 
 void APE::Tag::parse(const ByteVector &data)
 {
-  uint pos = 0;
-
   // 11 bytes is the minimum size for an APE item
 
+  if(data.size() < 11)
+    return;
+
+  uint pos = 0;
+
   for(uint i = 0; i < d->footer.itemCount() && pos <= data.size() - 11; i++) {
     APE::Item item;
     item.parse(data.mid(pos));

From 16ac2cd24015fcafa8529ede06f56a1dd5c4f13b Mon Sep 17 00:00:00 2001
From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
Date: Tue, 23 Dec 2014 21:02:00 +0900
Subject: [PATCH 3/3] Added some tests for fuzzed APE files.

---
 tests/data/longloop.ape | Bin 0 -> 184 bytes
 tests/data/zerodiv.ape  | Bin 0 -> 946 bytes
 tests/test_ape.cpp      |  10 ++++++++++
 3 files changed, 10 insertions(+)
 create mode 100644 tests/data/longloop.ape
 create mode 100644 tests/data/zerodiv.ape

diff --git a/tests/data/longloop.ape b/tests/data/longloop.ape
new file mode 100644
index 0000000000000000000000000000000000000000..3800387acbae60e24fd724f466422521ee53fdf9
GIT binary patch
literal 184
zcmeZubXJ(g&%j{9z`!5@#8ZHH4G`Z5Nd}S(0t<{7wrmE2Lz_3R0WuisAzTER^niuo
z7$ZBw;+0$sle>5s?t2O_Y?Bve_&clAfSrL03>;tnxaN1m@@;UZhv@5~EW>mK-~7Dn
z)JoT41;^5q%zS6Pw1QNiSZ+a4YH@L9ex751Ylx$}Ys3Y11_mXdLtcFO|NlP&g98Ht
HkOndU{4PaD

literal 0
HcmV?d00001

diff --git a/tests/data/zerodiv.ape b/tests/data/zerodiv.ape
new file mode 100644
index 0000000000000000000000000000000000000000..683bc2ddb5ae4f932fd7554664421bd0134f871e
GIT binary patch
literal 946
zcmV;j15Nx*K|>&x00960001BW0001#000220002kRAT@D000000001iN0A!y@L(fn
z1FU6N?rMC{2LJ#7AOQfNG5`Q206+i`00IC+tN;KE0RR9H4gvsT-~<51$p-+VsR{s-
zij4rzNe}?G9}@um{uKbw(-;7Lp%VZJXC46PH6Z}&6eIwKtR?`4NGSlc5i9^d=q>>8
zg)snlwKD*2CN==G`Zxfn+B*O$yFLK?Zb1MVG(-T(7DoUL^GN_yy-Wy#iBABVR#E^k
zO;rHm?N<PPgjxXOF<k(CDPRB{^kM)~Nk&Gb%Ax>QMOH;-ZFC?I0000100IC+tN;KI
zu|fa@01yCVVRT`D%Ax?3!cHIFm<<4a!=@`~=9M8_a>)?-3o?rrEy&ZL%zk)>+(y7{
zti6@zFo%OMvExu<c?#g_3~Oq;@f9bSKo4mG?WDdQn+t(|Lmb}wvtlChphNu9r<~Vd
z!-p6e0e5^7zUYsZsJK&nyc}ZVE#eXiPBoWxeVJ)8Ll?G=9a_5E>M@b9ZWskn=Nx)d
zp{lxNl;FO<I@j6_XJ4P~O>WNjsXPDz006ie=`z|Sc`@D|u6b|?eVW<@?#of*UN^Y1
zOL~}h7^3Oos~_tf*;Xi9HdD$1_aPTqNN9T?_8E|DYC5#x>-?NN5Ai5voy)Q3NK4cG
zJuC2S8B)}7DLfa8z^x4ieZdyl&G)oQCu}+rb?<F84Ic^??thCsPmi<zQN+%?g7w~W
z7$`M~ZO4#ImD9P*X&orJWh?5al$mo3zss1!=;0qcnsqQi>G;-8Vma+oiAWXea%wR_
z$qYG4i(SKF?(75aFPu{Z3be-lU%pm{{PTCgQ6?MbnuMe`Cm{S`1}090IRnYaX#b4J
zgEP$xl{{Z*&K!#sAt@QUHWtKSbN?o=80P1Dx3}|w776XkW{5LLU{{;6uu0kbouJ5|
zm;VK#|1S|zq>i2O-okJhkE^gBL^7Dc?{k7xXp+w3tutQlp`kcIK?MK?4tzlMFtAho
z<YEMcVF(maoe(-Yw{ZO#`kcxjhBr292~)Z_dc~#@H{CRPf7NC;_5N0<9J8B3g^nGL
z>x5^vD}ZcdL`aRAUqP~eRFlu_v`AWZb?g{O&9mmZd=QMX+YL*6(|ofqh$x$U<DXs=
zw7g|wG&whmAZOiY-Os44IC6D5MONvan;A@(_NQIo0BzXUu5IB7h;<c(=+5SCw&RZ5
UX3%me7aYL#J4Di%Smf_tolRDj$^ZZW

literal 0
HcmV?d00001

diff --git a/tests/test_ape.cpp b/tests/test_ape.cpp
index c95ff0c2..e79e8f08 100644
--- a/tests/test_ape.cpp
+++ b/tests/test_ape.cpp
@@ -16,6 +16,7 @@ class TestAPE : public CppUnit::TestFixture
   CPPUNIT_TEST(testProperties399);
   CPPUNIT_TEST(testProperties396);
   CPPUNIT_TEST(testProperties390);
+  CPPUNIT_TEST(testFuzzedFiles);
   CPPUNIT_TEST_SUITE_END();
 
 public:
@@ -47,6 +48,15 @@ public:
     CPPUNIT_ASSERT_EQUAL(44100, f.audioProperties()->sampleRate());
   }
 
+  void testFuzzedFiles()
+  {
+    APE::File f1(TEST_FILE_PATH_C("longloop.ape"));
+    CPPUNIT_ASSERT(f1.isValid());
+
+    APE::File f2(TEST_FILE_PATH_C("zerodiv.ape"));
+    CPPUNIT_ASSERT(f2.isValid());
+  }
+
 };
 
 CPPUNIT_TEST_SUITE_REGISTRATION(TestAPE);