From 3541fd73f3feee53ac98f673c16f28ff9759f952 Mon Sep 17 00:00:00 2001 From: Serial <69764315+Serial-ATA@users.noreply.github.com> Date: Mon, 22 Jul 2024 12:31:35 -0400 Subject: [PATCH] WAV: Fix panic on invalid `bits_per_sample` --- CHANGELOG.md | 3 ++- lofty/src/iff/wav/properties.rs | 7 ++++++- .../2_IDX_34_RAND_128635499166458268533001.wav | Bin 0 -> 44 bytes lofty/tests/fuzz/wavfile_read_from.rs | 7 +++++++ 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100755 lofty/tests/fuzz/assets/wavfile_read_from/2_IDX_34_RAND_128635499166458268533001.wav diff --git a/CHANGELOG.md b/CHANGELOG.md index c883cd21..2b0bb00d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,13 +25,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **MP4**: Atoms with sizes greater than the remaining file size will be ignored with `ParsingMode::Relaxed` ([PR](https://github.com/Serial-ATA/lofty-rs/pull/433)) ### Fixed -- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/TODO)): +- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/423)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/434)): - **MP4**: - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418)) - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426)) - **WAV**: - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420)) - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427)) + - Fix panic when reading a fmt chunk with an invalid bits_per_sample field ([issue](https://github.com/Serial-ATA/lofty-rs/issues/428)) - **Vorbis**: - Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421)) - Fix attempted large allocations with invalid comment counts ([issue](https://github.com/Serial-ATA/lofty-rs/issues/419)) diff --git a/lofty/src/iff/wav/properties.rs b/lofty/src/iff/wav/properties.rs index 0a86b8af..7788eb90 100644 --- a/lofty/src/iff/wav/properties.rs +++ b/lofty/src/iff/wav/properties.rs @@ -196,7 +196,12 @@ pub(super) fn read_properties( decode_err!(@BAIL Wav, "File contains 0 channels"); } + if bits_per_sample % 8 != 0 { + decode_err!(@BAIL Wav, "Bits per sample is not a multiple of 8"); + } + let bytes_per_sample = block_align / u16::from(channels); + let bit_depth; match extensible_info { Some(ExtensibleFmtChunk { @@ -215,7 +220,7 @@ pub(super) fn read_properties( } if bits_per_sample > 0 && (total_samples == 0 || pcm) { - total_samples = stream_len / u32::from(u16::from(channels) * ((bits_per_sample + 7) / 8)) + total_samples = stream_len / (u32::from(channels) * u32::from(bits_per_sample / 8)); } let mut duration = Duration::ZERO; diff --git a/lofty/tests/fuzz/assets/wavfile_read_from/2_IDX_34_RAND_128635499166458268533001.wav b/lofty/tests/fuzz/assets/wavfile_read_from/2_IDX_34_RAND_128635499166458268533001.wav new file mode 100755 index 0000000000000000000000000000000000000000..ac2fc2464b51d679a2e3bf5cd584067c0f0e8d92 GIT binary patch literal 44 vcmWIYbaT_=U|