diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ad01850..8282f08a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **MP3/APE**: Stop trusting the lengths of APE tag items (Fixes OOM) - **PictureInformation**: Fix potential overflow on an invalid picture - **MP4**: The parser has received a major facelift, and shouldn't be so eager to allocate or trust user data (Fixes OOM) +- **FLAC**: Return early when encountering invalid zero-sized blocks ## [0.7.1] - 2022-07-08 diff --git a/src/flac/block.rs b/src/flac/block.rs index 7e1dcaa4..2a535f93 100644 --- a/src/flac/block.rs +++ b/src/flac/block.rs @@ -25,7 +25,7 @@ impl Block { let last = (byte & 0x80) != 0; let ty = byte & 0x7F; - let size = data.read_uint::(3)? as u32; + let size = data.read_u24::()?; let mut content = try_vec![0; size as usize]; data.read_exact(&mut content)?; diff --git a/src/flac/read.rs b/src/flac/read.rs index bd8f1c64..2927efcb 100644 --- a/src/flac/read.rs +++ b/src/flac/read.rs @@ -87,6 +87,14 @@ where let block = Block::read(data)?; last_block = block.last; + if block.content.is_empty() && (block.ty != 1 && block.ty != 3) { + return Err(FileDecodingError::new( + FileType::FLAC, + "Encountered a zero-sized metadata block", + ) + .into()); + } + match block.ty { #[cfg(feature = "vorbis_comments")] 4 => read_comments(&mut &*block.content, &mut tag)?, diff --git a/tests/fuzz/flacfile_read_from.rs b/tests/fuzz/flacfile_read_from.rs index 70b786d1..ec032f39 100644 --- a/tests/fuzz/flacfile_read_from.rs +++ b/tests/fuzz/flacfile_read_from.rs @@ -1 +1,7 @@ -// TODO +use crate::oom_test; +use lofty::flac::FlacFile; + +#[test] +fn oom1() { + oom_test::("flacfile_read_from/oom-9268264e9bc5e2124e4d63cbff8cff0b0dec6644"); +}