Detect RIFF files with invalid chunk sizes

The bug report has a WAVE file with zero-sized 'data' chunk, which causes
TagLib to iterate over the file, 8 bytes in each iteration. The new code
adds a check for the chunk name, which forces it to mark the file as
invalid if the chunk name doesn't contain ASCII characters.

https://bugs.kde.org/show_bug.cgi?id=283412
This commit is contained in:
Lukáš Lalinský 2011-10-08 18:41:15 +02:00
parent 294cb22241
commit f59c3b67aa
5 changed files with 39 additions and 1 deletions

View File

@ -87,6 +87,11 @@ bool RIFF::AIFF::File::save()
return false;
}
if(!isValid()) {
debug("RIFF::AIFF::File::save() -- Trying to save invalid file.");
return false;
}
setChunkData(d->tagChunkID, d->tag->render());
return true;

View File

@ -194,6 +194,19 @@ void RIFF::File::setChunkData(const ByteVector &name, const ByteVector &data)
// private members
////////////////////////////////////////////////////////////////////////////////
static bool isValidChunkID(const ByteVector &name)
{
if(name.size() != 4) {
return false;
}
for(int i = 0; i < 4; i++) {
if(name[i] < 32 || name[i] > 127) {
return false;
}
}
return true;
}
void RIFF::File::read()
{
bool bigEndian = (d->endianness == BigEndian);
@ -207,8 +220,15 @@ void RIFF::File::read()
ByteVector chunkName = readBlock(4);
uint chunkSize = readBlock(4).toUInt(bigEndian);
if(!isValidChunkID(chunkName)) {
debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid ID");
setValid(false);
break;
}
if(tell() + chunkSize > uint(length())) {
// something wrong
debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid size (larger than the file size)");
setValid(false);
break;
}

View File

@ -87,6 +87,11 @@ bool RIFF::WAV::File::save()
return false;
}
if(!isValid()) {
debug("RIFF::WAV::File::save() -- Trying to save invalid file.");
return false;
}
setChunkData(d->tagChunkID, d->tag->render());
return true;

Binary file not shown.

View File

@ -13,6 +13,7 @@ class TestWAV : public CppUnit::TestFixture
{
CPPUNIT_TEST_SUITE(TestWAV);
CPPUNIT_TEST(testLength);
CPPUNIT_TEST(testZeroSizeDataChunk);
CPPUNIT_TEST_SUITE_END();
public:
@ -20,9 +21,16 @@ public:
void testLength()
{
RIFF::WAV::File f("data/empty.wav");
CPPUNIT_ASSERT_EQUAL(true, f.isValid());
CPPUNIT_ASSERT_EQUAL(3, f.audioProperties()->length());
}
void testZeroSizeDataChunk()
{
RIFF::WAV::File f("data/zero-size-chunk.wav");
CPPUNIT_ASSERT_EQUAL(false, f.isValid());
}
};
CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV);