Fix crash with invalid WAV files (#1163) (#1164)

With specially crafted WAV files having the "id3 " chunk as the only valid chunk, when trying to write the tags, the existing "id3 " chunk is removed, and then vector::front() is called on the now empty chunks vector. Now it is checked if the vector is empty to avoid the crash.
2025-05-27 21:20:26 -04:00 · 2023-11-05 14:40:18 +01:00 · 2023-11-05 14:40:18 +01:00 · dfa33bec08
commit dfa33bec08
parent f202fa25c3
3 changed files with 21 additions and 0 deletions
--- a/taglib/riff/rifffile.cpp
+++ b/taglib/riff/rifffile.cpp
@ -361,6 +361,9 @@ void RIFF::File::writeChunk(const ByteVector &name, const ByteVector &data,

 void RIFF::File::updateGlobalSize()
 {
+  if(d->chunks.empty())
+    return;
+
  const Chunk first = d->chunks.front();
  const Chunk last  = d->chunks.back();
  d->size = static_cast<unsigned int>(last.offset + last.size + last.padding - first.offset + 12);
--- a/tests/data/invalid-chunk.wav
+++ b/tests/data/invalid-chunk.wav
--- a/tests/test_wav.cpp
+++ b/tests/test_wav.cpp
@ -59,6 +59,7 @@ class TestWAV : public CppUnit::TestFixture
  CPPUNIT_TEST(testStripAndProperties);
  CPPUNIT_TEST(testPCMWithFactChunk);
  CPPUNIT_TEST(testWaveFormatExtensible);
+  CPPUNIT_TEST(testInvalidChunk);
  CPPUNIT_TEST_SUITE_END();

 public:
@ -385,6 +386,23 @@ public:
    CPPUNIT_ASSERT_EQUAL(1, f.audioProperties()->format());
  }

+  void testInvalidChunk()
+  {
+    ScopedFileCopy copy("invalid-chunk", ".wav");
+
+    {
+      RIFF::WAV::File f(copy.fileName().c_str());
+      CPPUNIT_ASSERT_EQUAL(0, f.audioProperties()->lengthInSeconds());
+      CPPUNIT_ASSERT(f.hasID3v2Tag());
+      f.ID3v2Tag()->setTitle("Title");
+      f.save();
+    }
+    {
+      RIFF::WAV::File f(copy.fileName().c_str());
+      CPPUNIT_ASSERT(!f.hasID3v2Tag());
+    }
+  }
+
 };

 CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV);