diff --git a/CHANGELOG.md b/CHANGELOG.md index b18f72e8..b3105329 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **WAV**: - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420)) - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427)) - - **Vorbis**: Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421)) + - **Vorbis**: + - Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421)) + - Fix attempted large allocations with invalid comment counts ([issue](https://github.com/Serial-ATA/lofty-rs/issues/419)) - **FLAC**: Fix panic when reading properties of a file with incorrect block sizes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/422)) - **AIFF**: Fix panic when reading properties of a file with invalid f80 sample rate ([issue](https://github.com/Serial-ATA/lofty-rs/issues/424)) diff --git a/lofty/src/ogg/read.rs b/lofty/src/ogg/read.rs index 48479944..32d75bad 100644 --- a/lofty/src/ogg/read.rs +++ b/lofty/src/ogg/read.rs @@ -75,6 +75,9 @@ where }; let number_of_items = data.read_u32::()?; + if number_of_items > (len >> 2) as u32 { + err!(SizeMismatch); + } let mut tag = VorbisComments { vendor, diff --git a/lofty/tests/fuzz/assets/vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg b/lofty/tests/fuzz/assets/vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg new file mode 100755 index 00000000..4224c032 Binary files /dev/null and b/lofty/tests/fuzz/assets/vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg differ diff --git a/lofty/tests/fuzz/vorbisfile_read_from.rs b/lofty/tests/fuzz/vorbisfile_read_from.rs index 8980ce1a..2c15c487 100644 --- a/lofty/tests/fuzz/vorbisfile_read_from.rs +++ b/lofty/tests/fuzz/vorbisfile_read_from.rs @@ -8,6 +8,13 @@ fn oom1() { oom_test::("vorbisfile_read_from/oom-436193bc2d1664b74c19720bef08697d03284f06"); } +#[test] +fn large_allocation() { + let mut reader = + crate::get_reader("vorbisfile_read_from/move01d_IDX_13_RAND_35154275996070165946691.ogg"); + let _ = VorbisFile::read_from(&mut reader, ParseOptions::new()); +} + #[test] fn panic1() { let mut reader =