Mirrors/lofty-rs
2
0
Fork 0
mirror of https://github.com/Serial-ATA/lofty-rs synced 2024-11-10 06:34:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

MPC: Fix overflow on tag size mismatches

Browse source
This commit is contained in:
Serial 2024-08-24 12:40:32 -04:00 committed by Alex
parent 4f9971a9fc
commit 9c967f6333
4 changed files with 33 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
lofty/src/musepack/read.rs
View file

@ -6,6 +6,7 @@ use crate::config::ParseOptions;
use crate::error::Result;
use crate::id3::v2::read::parse_id3v2;
use crate::id3::{find_id3v1, find_id3v2, find_lyrics3v2, FindId3v2Config, ID3FindResults};
use crate::macros::err;
use crate::util::io::SeekStreamLen;
use std::io::{Read, Seek, SeekFrom};
@ -47,11 +48,19 @@ where
if header.is_some() {
file.id3v1_tag = id3v1;
stream_length -= 128;
let Some(new_stream_length) = stream_length.checked_sub(128) else {
err!(SizeMismatch);
};
stream_length = new_stream_length;
}
let ID3FindResults(_, lyrics3v2_size) = find_lyrics3v2(reader)?;
stream_length -= u64::from(lyrics3v2_size);
let Some(new_stream_length) = stream_length.checked_sub(u64::from(lyrics3v2_size)) else {
err!(SizeMismatch);
};
stream_length = new_stream_length;
reader.seek(SeekFrom::Current(-32))?;
@ -60,9 +69,18 @@ where
// Seek back to the start of the tag
let pos = reader.stream_position()?;
reader.seek(SeekFrom::Start(pos - u64::from(header.size)))?;
stream_length -= u64::from(header.size);
let tag_size = u64::from(header.size);
let Some(tag_start) = pos.checked_sub(tag_size) else {
err!(SizeMismatch);
};
reader.seek(SeekFrom::Start(tag_start))?;
let Some(new_stream_length) = stream_length.checked_sub(tag_size) else {
err!(SizeMismatch);
};
stream_length = new_stream_length;
}
// Restore the position of the magic signature

BIN
lofty/tests/fuzz/assets/mpcfile_read_from/output.aac Normal file
View file

Binary file not shown.

1
lofty/tests/fuzz/main.rs
View file

@ -10,6 +10,7 @@ mod aifffile_read_from;
mod flacfile_read_from;
mod id3v2;
mod mp4file_read_from;
mod mpcfile_read_from;
mod mpegfile_read_from;
mod opusfile_read_from;
mod pictureinformation_from_jpeg;

10
lofty/tests/fuzz/mpcfile_read_from.rs Normal file
View file

@ -0,0 +1,10 @@
use lofty::config::ParseOptions;
use lofty::file::AudioFile;
use lofty::musepack::MpcFile;
// Overflow when passing an AAC file to MpcFile::read_from
#[test]
fn panic1() {
let mut reader = crate::get_reader("mpcfile_read_from/output.aac");
let _ = MpcFile::read_from(&mut reader, ParseOptions::new());
}