Fix MP3 panic, add fuzz targets

2024-11-10 06:34:18 +00:00 · 2022-01-02 20:53:26 -05:00 · 2022-01-02 20:53:26 -05:00 · 010b60b889
commit 010b60b889
parent 6670ea9cd5
13 changed files with 157 additions and 3 deletions
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@ -0,0 +1,3 @@
+target
+corpus
+artifacts
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -0,0 +1,55 @@
+[package]
+name = "lofty-fuzz"
+version = "0.0.0"
+authors = ["Automatically generated"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.lofty]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "filetype_from_buffer"
+path = "fuzz_targets/filetype_from_buffer.rs"
+
+[[bin]]
+name = "mp3file_read_from"
+path = "fuzz_targets/mp3file_read_from.rs"
+
+[[bin]]
+name = "aifffile_read_from"
+path = "fuzz_targets/aifffile_read_from.rs"
+
+[[bin]]
+name = "apefile_read_from"
+path = "fuzz_targets/apefile_read_from.rs"
+
+[[bin]]
+name = "flacfile_read_from"
+path = "fuzz_targets/flacfile_read_from.rs"
+
+[[bin]]
+name = "mp4file_read_from"
+path = "fuzz_targets/mp4file_read_from.rs"
+
+[[bin]]
+name = "opusfile_read_from"
+path = "fuzz_targets/opusfile_read_from.rs"
+
+[[bin]]
+name = "vorbisfile_read_from"
+path = "fuzz_targets/vorbisfile_read_from.rs"
+
+[[bin]]
+name = "wavfile_read_from"
+path = "fuzz_targets/wavfile_read_from.rs"
--- a/fuzz/fuzz_targets/aifffile_read_from.rs
+++ b/fuzz/fuzz_targets/aifffile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::iff::AiffFile::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/apefile_read_from.rs
+++ b/fuzz/fuzz_targets/apefile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::ape::ApeFile::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/filetype_from_buffer.rs
+++ b/fuzz/fuzz_targets/filetype_from_buffer.rs
@ -0,0 +1,6 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = lofty::FileType::from_buffer(data);
+});
--- a/fuzz/fuzz_targets/flacfile_read_from.rs
+++ b/fuzz/fuzz_targets/flacfile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::ogg::FlacFile::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/mp3file_read_from.rs
+++ b/fuzz/fuzz_targets/mp3file_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::mp3::Mp3File::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/mp4file_read_from.rs
+++ b/fuzz/fuzz_targets/mp4file_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::mp4::Mp4File::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/opusfile_read_from.rs
+++ b/fuzz/fuzz_targets/opusfile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::ogg::OpusFile::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/vorbisfile_read_from.rs
+++ b/fuzz/fuzz_targets/vorbisfile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::ogg::VorbisFile::read_from(&mut Cursor::new(data), false);
+});
--- a/fuzz/fuzz_targets/wavfile_read_from.rs
+++ b/fuzz/fuzz_targets/wavfile_read_from.rs
@ -0,0 +1,10 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use lofty::AudioFile;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: Vec<u8>| {
+    let _ = lofty::iff::WavFile::read_from(&mut Cursor::new(data), false);
+});
--- a/src/mp3/header.rs
+++ b/src/mp3/header.rs
@ -96,6 +96,7 @@ impl Header {

 		match sample_rate {
 			// This is invalid, but it doesn't seem worth it to error here
+			// We will error if properties are read
 			3 => sample_rate = 0,
 			_ => sample_rate = SAMPLE_RATES[version as usize][sample_rate as usize],
 		}
@ -118,9 +119,13 @@ impl Header {
 		let data_start = SIDE_INFORMATION_SIZES[version_index][channel_mode as usize] + 4;
 		let samples = SAMPLES[layer_index][version_index];

-		let len = match layer {
-			Layer::Layer1 => (bitrate * 12000 / sample_rate + padding) * 4,
-			Layer::Layer2 | Layer::Layer3 => bitrate * 144_000 / sample_rate + padding,
+		let len = if sample_rate == 0 {
+			0
+		} else {
+			match layer {
+				Layer::Layer1 => (bitrate * 12000 / sample_rate + padding) * 4,
+				Layer::Layer2 | Layer::Layer3 => bitrate * 144_000 / sample_rate + padding,
+			}
 		};

 		let channels = if channel_mode == ChannelMode::SingleChannel {
--- a/src/mp3/read.rs
+++ b/src/mp3/read.rs
@ -131,6 +131,11 @@ where
 		}

 		let first_frame_header = first_frame_header.unwrap();
+
+		if first_frame_header.sample_rate == 0 {
+			return Err(LoftyError::Mp3("Sample rate is 0"));
+		}
+
 		let first_frame_offset = file.first_frame_offset.unwrap();

 		let file_length = reader.seek(SeekFrom::End(0))?;