Check for EOF to fix an infinite loop while parsing fuzzed MPC files.

author Tsuda Kageyu <tsuda.kageyu@gmail.com>

Thu, 8 Jan 2015 03:28:20 +0000 (12:28 +0900)

committer Tsuda Kageyu <tsuda.kageyu@gmail.com>

Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
author Tsuda Kageyu <tsuda.kageyu@gmail.com>
Thu, 8 Jan 2015 03:28:20 +0000 (12:28 +0900)
committer Tsuda Kageyu <tsuda.kageyu@gmail.com>
Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
diff --git a/taglib/mpc/mpcproperties.cpp b/taglib/mpc/mpcproperties.cpp

index f11f8ecf7a5bfcba642b646a710647bd307e2214..a162b8eeee44780a247452323e5dce2a0d3d0a6c 100644 (file)
--- a/taglib/mpc/mpcproperties.cpp
+++ b/taglib/mpc/mpcproperties.cpp
@@ -197,10 +197,15 @@ void MPC::Properties::readSV8(File *file)
      unsigned long packetSize = readSize(file, packetSizeLength);
      unsigned long dataSize = packetSize - 2 - packetSizeLength;
  
+    const ByteVector data = file->readBlock(dataSize);
+    if(data.size() != dataSize) {
+      debug("MPC::Properties::readSV8() - dataSize doesn't match the actual data size.");
+      break;
+    }
+
      if(packetType == "SH") {
        // Stream Header
        // http://trac.musepack.net/wiki/SV8Specification#StreamHeaderPacket
-      ByteVector data = file->readBlock(dataSize);
        readSH = true;
  
        TagLib::uint pos = 4;
@@ -225,7 +230,6 @@ void MPC::Properties::readSV8(File *file)
      else if (packetType == "RG") {
        // Replay Gain
        // http://trac.musepack.net/wiki/SV8Specification#ReplaygainPacket
-      ByteVector data = file->readBlock(dataSize);
        readRG = true;
  
        int replayGainVersion = data[0];
diff --git a/tests/data/infloop.mpc b/tests/data/infloop.mpc

new file mode 100644 (file)

index 0000000..46861ab

Binary files /dev/null and b/tests/data/infloop.mpc differ
diff --git a/tests/test_mpc.cpp b/tests/test_mpc.cpp

index d7239a6dcc92f3b3b68403dc46951073e67c7b76..c79d0a8ca14953a447e0b9dcefa0a4f6c393ad40 100644 (file)
--- a/tests/test_mpc.cpp
+++ b/tests/test_mpc.cpp
@@ -18,6 +18,7 @@ class TestMPC : public CppUnit::TestFixture
    CPPUNIT_TEST(testPropertiesSV5);
    CPPUNIT_TEST(testPropertiesSV4);
    CPPUNIT_TEST(testFuzzedFile1);
+  CPPUNIT_TEST(testFuzzedFile2);
    CPPUNIT_TEST_SUITE_END();
  
  public:
@@ -68,6 +69,12 @@ public:
      CPPUNIT_ASSERT(f.isValid());
    }
  
+  void testFuzzedFile2()
+  {
+    MPC::File f(TEST_FILE_PATH_C("infloop.mpc"));
+    CPPUNIT_ASSERT(f.isValid());
+  }
+
  };
  
  CPPUNIT_TEST_SUITE_REGISTRATION(TestMPC);
author	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Thu, 8 Jan 2015 03:28:20 +0000 (12:28 +0900)
committer	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
taglib/mpc/mpcproperties.cpp		patch \| blob \| history
tests/data/infloop.mpc	[new file with mode: 0644]	patch \| blob
tests/test_mpc.cpp		patch \| blob \| history