From 440cae88c6c58d4d65a4c2b8153739a232993745 Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Sat, 2 Nov 2024 10:45:06 -0400
Subject: [PATCH] WV: Add extra length check for wrong sized large blocks

---
 lofty/src/wavpack/properties.rs                   |   6 +++++-
 ...765886234e3a25b182f01bc3f92880188f5b_minimized | Bin 0 -> 520 bytes
 lofty/tests/fuzz/wavpackfile_read_from.rs         |   8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 lofty/tests/fuzz/assets/wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized

diff --git a/lofty/src/wavpack/properties.rs b/lofty/src/wavpack/properties.rs
index f2363999..9cdd13b2 100644
--- a/lofty/src/wavpack/properties.rs
+++ b/lofty/src/wavpack/properties.rs
@@ -224,7 +224,7 @@ where
 		log::warn!("Unable to calculate duration, unknown sample counts are not yet supported");
 		return Ok(properties);
 	}
-	
+
 	if total_samples == 0 || properties.sample_rate == 0 {
 		if parse_mode == ParsingMode::Strict {
 			decode_err!(@BAIL WavPack, "Unable to calculate duration (sample count == 0 || sample rate == 0)")
@@ -317,6 +317,10 @@ fn get_extended_meta_info(
 
 		let is_large = id & ID_FLAG_LARGE_SIZE > 0;
 		if is_large {
+			if block_size - index < 2 {
+				break;
+			}
+
 			size += u32::from(block_content[index]) << 9;
 			size += u32::from(block_content[index + 1]) << 17;
 			index += 2;
diff --git a/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized b/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized
new file mode 100644
index 0000000000000000000000000000000000000000..ee45cf4b73668919dfdef0df42df691af868cc79
GIT binary patch
literal 520
zcmXRfE68SGVt|5HF$m)e$6q<dHpa62%%b8XkPxHG8ZZSUvadUA7O?&g1~w4t|NoOc
z1_vd8oPWtZ3MMI{|2bJ08Z<cj7C-Z33Izh@vizc?%wmuc6aa0Y-iXYC3_bs%bcLME
zq%g3d3Z4o^28KokK&YVMpPQFiP?TDnnpdI;vWbxuWV2earjv6RBf~$4bL%;PGKM}1
zM;k6o2xVXpU|>j4(d3(*=Bc@K%0i9G8B;t!tfK~<Gp2MNl}PR}JO(4M`3>m31(un9
z7Rwdby8<6ravu7smYm1I8_CK53|9va#a59Z5RufO2yzfZn*@;6E>m<uarvAgF0B;{
znz)QkC^Y*Ry<EZobXQ_dQfaP2NosM)|8iL1qR?PNet2B3xV>Z37VcFCIF5rw5X5t`
F004a)#~%Oy

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/wavpackfile_read_from.rs b/lofty/tests/fuzz/wavpackfile_read_from.rs
index dca46f7f..a8526de8 100644
--- a/lofty/tests/fuzz/wavpackfile_read_from.rs
+++ b/lofty/tests/fuzz/wavpackfile_read_from.rs
@@ -96,3 +96,11 @@ fn panic2() {
 	let mut reader = crate::get_reader("wavpackfile_read_from/bb");
 	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
 }
+
+#[test_log::test]
+fn panic3() {
+	let mut reader = crate::get_reader(
+		"wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized",
+	);
+	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
+}