From e21640bf101c1e015b036fc7b8601727cc6a04f5 Mon Sep 17 00:00:00 2001
From: Urs Fleisch <ufleisch@users.sourceforge.net>
Date: Sat, 18 Mar 2023 08:07:46 +0100
Subject: [PATCH] MP4: Detect atoms with invalid length or type (#1077)

---
 taglib/mp4/mp4atom.cpp      |  10 +++++++++-
 tests/data/ilst-is-last.m4a | Bin 32768 -> 32768 bytes
 tests/test_mp4.cpp          |   5 ++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/taglib/mp4/mp4atom.cpp b/taglib/mp4/mp4atom.cpp
index c4f4ff5d..02e90f9c 100644
--- a/taglib/mp4/mp4atom.cpp
+++ b/taglib/mp4/mp4atom.cpp
@@ -73,7 +73,7 @@ MP4::Atom::Atom(File *file)
     }
   }
 
-  if(length < 8) {
+  if(length < 8 || length > file->length() - offset) {
     debug("MP4: Invalid atom size");
     length = 0;
     file->seek(0, File::End);
@@ -81,6 +81,14 @@ MP4::Atom::Atom(File *file)
   }
 
   name = header.mid(4, 4);
+  for(int i = 0; i < 4; ++i) {
+    const char ch = name.at(i);
+    if((ch < ' ' || ch > '~') && ch != '\251') {
+      debug("MP4: Invalid atom type");
+      length = 0;
+      file->seek(0, File::End);
+    }
+  }
 
   for(int i = 0; i < numContainers; i++) {
     if(name == containers[i]) {
diff --git a/tests/data/ilst-is-last.m4a b/tests/data/ilst-is-last.m4a
index c56c80498027ecb7113d0ec56042277233361ccd..7f252ffd88b5e35cf00ffd801f6d1034f73243f9 100644
GIT binary patch
delta 17
YcmZo@U}|V!+7N5Z<g;{hyzxRG061s{Y5)KL

delta 17
YcmZo@U}|V!+7N5Z)Hi=~yzxRG06G!|rT_o{

diff --git a/tests/test_mp4.cpp b/tests/test_mp4.cpp
index 14b23e1f..2ead2bab 100644
--- a/tests/test_mp4.cpp
+++ b/tests/test_mp4.cpp
@@ -575,7 +575,10 @@ public:
   void testFuzzedFile()
   {
     MP4::File f(TEST_FILE_PATH_C("infloop.m4a"));
-    CPPUNIT_ASSERT(f.isValid());
+    // The file has an invalid atom length of 2775 in the last atom
+    // ("free", offset 0xc521, 00000ad7 66726565), whereas the remaining file
+    // length is 2727 bytes, therefore the file is now considered invalid.
+    CPPUNIT_ASSERT(!f.isValid());
   }
 
   void testRepeatedSave()