Detect RIFF files with invalid chunk sizes

The bug report has a WAVE file with zero-sized 'data' chunk, which causes TagLib to iterate over the file, 8 bytes in each iteration. The new code adds a check for the chunk name, which forces it to mark the file as invalid if the chunk name doesn't contain ASCII characters. https://bugs.kde.org/show_bug.cgi?id=283412
2025-05-27 13:10:26 -04:00 · 2011-10-08 18:41:15 +02:00 · 2011-10-08 18:41:15 +02:00 · f59c3b67aa
commit f59c3b67aa
parent 294cb22241
5 changed files with 39 additions and 1 deletions
--- a/taglib/riff/aiff/aifffile.cpp
+++ b/taglib/riff/aiff/aifffile.cpp
@ -87,6 +87,11 @@ bool RIFF::AIFF::File::save()
    return false;
  }

+  if(!isValid()) {
+    debug("RIFF::AIFF::File::save() -- Trying to save invalid file.");
+    return false;
+  }
+
  setChunkData(d->tagChunkID, d->tag->render());

  return true;
--- a/taglib/riff/rifffile.cpp
+++ b/taglib/riff/rifffile.cpp
@ -194,6 +194,19 @@ void RIFF::File::setChunkData(const ByteVector &name, const ByteVector &data)
 // private members
 ////////////////////////////////////////////////////////////////////////////////

+static bool isValidChunkID(const ByteVector &name)
+{
+  if(name.size() != 4) {
+    return false;
+  }
+  for(int i = 0; i < 4; i++) {
+    if(name[i] < 32 || name[i] > 127) {
+      return false;
+    }
+  }
+  return true;
+}
+
 void RIFF::File::read()
 {
  bool bigEndian = (d->endianness == BigEndian);
@ -207,8 +220,15 @@ void RIFF::File::read()
    ByteVector chunkName = readBlock(4);
    uint chunkSize = readBlock(4).toUInt(bigEndian);

+    if(!isValidChunkID(chunkName)) {
+      debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid ID");
+      setValid(false);
+      break;
+    }
+
    if(tell() + chunkSize > uint(length())) {
-      // something wrong
+      debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid size (larger than the file size)");
+      setValid(false);
      break;
    }

--- a/taglib/riff/wav/wavfile.cpp
+++ b/taglib/riff/wav/wavfile.cpp
@ -87,6 +87,11 @@ bool RIFF::WAV::File::save()
    return false;
  }

+  if(!isValid()) {
+    debug("RIFF::WAV::File::save() -- Trying to save invalid file.");
+    return false;
+  }
+
  setChunkData(d->tagChunkID, d->tag->render());

  return true;
--- a/tests/data/zero-size-chunk.wav
+++ b/tests/data/zero-size-chunk.wav
--- a/tests/test_wav.cpp
+++ b/tests/test_wav.cpp
@ -13,6 +13,7 @@ class TestWAV : public CppUnit::TestFixture
 {
  CPPUNIT_TEST_SUITE(TestWAV);
  CPPUNIT_TEST(testLength);
+  CPPUNIT_TEST(testZeroSizeDataChunk);
  CPPUNIT_TEST_SUITE_END();

 public:
@ -20,9 +21,16 @@ public:
  void testLength()
  {
    RIFF::WAV::File f("data/empty.wav");
+    CPPUNIT_ASSERT_EQUAL(true, f.isValid());
    CPPUNIT_ASSERT_EQUAL(3, f.audioProperties()->length());
  }

+  void testZeroSizeDataChunk()
+  {
+    RIFF::WAV::File f("data/zero-size-chunk.wav");
+    CPPUNIT_ASSERT_EQUAL(false, f.isValid());
+  }
+
 };

 CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV);