MP4: Detect atoms with invalid length or type (#1077)

2025-05-27 21:20:26 -04:00 · 2023-03-18 08:07:46 +01:00 · 2023-03-18 08:07:46 +01:00 · e21640bf10
commit e21640bf10
parent a31356e330
3 changed files with 13 additions and 2 deletions
--- a/taglib/mp4/mp4atom.cpp
+++ b/taglib/mp4/mp4atom.cpp
@ -73,7 +73,7 @@ MP4::Atom::Atom(File *file)
    }
  }

-  if(length < 8) {
+  if(length < 8 || length > file->length() - offset) {
    debug("MP4: Invalid atom size");
    length = 0;
    file->seek(0, File::End);
@ -81,6 +81,14 @@ MP4::Atom::Atom(File *file)
  }

  name = header.mid(4, 4);
+  for(int i = 0; i < 4; ++i) {
+    const char ch = name.at(i);
+    if((ch < ' ' || ch > '~') && ch != '\251') {
+      debug("MP4: Invalid atom type");
+      length = 0;
+      file->seek(0, File::End);
+    }
+  }

  for(int i = 0; i < numContainers; i++) {
    if(name == containers[i]) {
--- a/tests/data/ilst-is-last.m4a
+++ b/tests/data/ilst-is-last.m4a
--- a/tests/test_mp4.cpp
+++ b/tests/test_mp4.cpp
@ -575,7 +575,10 @@ public:
  void testFuzzedFile()
  {
    MP4::File f(TEST_FILE_PATH_C("infloop.m4a"));
-    CPPUNIT_ASSERT(f.isValid());
+    // The file has an invalid atom length of 2775 in the last atom
+    // ("free", offset 0xc521, 00000ad7 66726565), whereas the remaining file
+    // length is 2727 bytes, therefore the file is now considered invalid.
+    CPPUNIT_ASSERT(!f.isValid());
  }

  void testRepeatedSave()