Check the packet size to fix a segfault error while parsing fuzzed MPC files.

author Tsuda Kageyu <tsuda.kageyu@gmail.com>

Thu, 8 Jan 2015 03:49:33 +0000 (12:49 +0900)

committer Tsuda Kageyu <tsuda.kageyu@gmail.com>

Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
author Tsuda Kageyu <tsuda.kageyu@gmail.com>
Thu, 8 Jan 2015 03:49:33 +0000 (12:49 +0900)
committer Tsuda Kageyu <tsuda.kageyu@gmail.com>
Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
diff --git a/taglib/mpc/mpcproperties.cpp b/taglib/mpc/mpcproperties.cpp

index a162b8eeee44780a247452323e5dce2a0d3d0a6c..ac9d1b45e296fe68aa88e8318d4550290aad4282 100644 (file)
--- a/taglib/mpc/mpcproperties.cpp
+++ b/taglib/mpc/mpcproperties.cpp
@@ -206,13 +206,28 @@ void MPC::Properties::readSV8(File *file)
      if(packetType == "SH") {
        // Stream Header
        // http://trac.musepack.net/wiki/SV8Specification#StreamHeaderPacket
+
+      if(dataSize <= 5) {
+        debug("MPC::Properties::readSV8() - \"SH\" packet is too short to parse.");
+        break;
+      }
+
        readSH = true;
  
        TagLib::uint pos = 4;
        d->version = data[pos];
        pos += 1;
        d->sampleFrames = readSize(data.mid(pos), pos);
+      if(pos > dataSize - 3) {
+        debug("MPC::Properties::readSV8() - \"SH\" packet is corrupt.");
+        break;
+      }
+
        ulong begSilence = readSize(data.mid(pos), pos);
+      if(pos > dataSize - 2) {
+        debug("MPC::Properties::readSV8() - \"SH\" packet is corrupt.");
+        break;
+      }
  
        const ushort flags = data.toUShort(pos, true);
        pos += 2;
@@ -230,6 +245,12 @@ void MPC::Properties::readSV8(File *file)
      else if (packetType == "RG") {
        // Replay Gain
        // http://trac.musepack.net/wiki/SV8Specification#ReplaygainPacket
+
+      if(dataSize <= 9) {
+        debug("MPC::Properties::readSV8() - \"RG\" packet is too short to parse.");
+        break;
+      }
+
        readRG = true;
  
        int replayGainVersion = data[0];
diff --git a/tests/data/segfault.mpc b/tests/data/segfault.mpc

new file mode 100644 (file)

index 0000000..2c7e29f

Binary files /dev/null and b/tests/data/segfault.mpc differ
diff --git a/tests/test_mpc.cpp b/tests/test_mpc.cpp

index c79d0a8ca14953a447e0b9dcefa0a4f6c393ad40..1204b0c2b9cf45ceb300d5b35a655df00329ab33 100644 (file)
--- a/tests/test_mpc.cpp
+++ b/tests/test_mpc.cpp
@@ -19,6 +19,7 @@ class TestMPC : public CppUnit::TestFixture
    CPPUNIT_TEST(testPropertiesSV4);
    CPPUNIT_TEST(testFuzzedFile1);
    CPPUNIT_TEST(testFuzzedFile2);
+  CPPUNIT_TEST(testFuzzedFile3);
    CPPUNIT_TEST_SUITE_END();
  
  public:
@@ -75,6 +76,12 @@ public:
      CPPUNIT_ASSERT(f.isValid());
    }
  
+  void testFuzzedFile3()
+  {
+    MPC::File f(TEST_FILE_PATH_C("segfault.mpc"));
+    CPPUNIT_ASSERT(f.isValid());
+  }
+
  };
  
  CPPUNIT_TEST_SUITE_REGISTRATION(TestMPC);
author	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Thu, 8 Jan 2015 03:49:33 +0000 (12:49 +0900)
committer	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Mon, 16 Feb 2015 16:22:39 +0000 (01:22 +0900)
taglib/mpc/mpcproperties.cpp		patch \| blob \| history
tests/data/segfault.mpc	[new file with mode: 0644]	patch \| blob
tests/test_mpc.cpp		patch \| blob \| history