diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ce15c94..481c007b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,11 +53,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - When skipping invalid frames in `ParsingMode::{BestAttempt, Relaxed}`, the parser will no longer be able to go out of the bounds of the frame content ([issue](https://github.com/Serial-ATA/lofty-rs/issues/458)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/459)) - **MP4**: Support for flag items (ex. `cpil`) of any size (not just 1 byte) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/457)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/460)) -- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/476)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/479)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/483)): +- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/476)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/479)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/483)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/489)): - **MusePack**: Fix panic when ID3v2 tag sizes exceed the stream length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/470)) - **WAV**: Fix panic when calculating bit depth with abnormally large `bytes_per_sample` ([issue](https://github.com/Serial-ATA/lofty-rs/issues/471)) - **WavPack***: Fix panic when encountering wrongly sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/472)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/480)) - **WavPack***: Fix panic when encountering zero-sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/473)) + - **WavPack**: Verify the size of non-standard sample rate blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/488)) - **MPEG**: Fix panic when APE tags are incorrectly sized ([issue](https://github.com/Serial-ATA/lofty-rs/issues/474)) - **MPEG**: Fix panic when calculating the stream length for files with improperly sized frames ([issue](https://github.com/Serial-ATA/lofty-rs/issues/487)) - **ID3v2**: Fix panic when parsing non-ASCII `TDAT` and `TIME` frames in `TDRC` conversion ([issue](https://github.com/Serial-ATA/lofty-rs/issues/477)) diff --git a/lofty/src/wavpack/properties.rs b/lofty/src/wavpack/properties.rs index ff9c9502..9105415c 100644 --- a/lofty/src/wavpack/properties.rs +++ b/lofty/src/wavpack/properties.rs @@ -333,6 +333,10 @@ fn get_extended_meta_info( match id & 0x3F { ID_NON_STANDARD_SAMPLE_RATE => { + if size < 3 { + decode_err!(@BAIL WavPack, "Encountered an invalid block size for non-standard sample rate"); + } + properties.sample_rate = reader.read_u24::()?; size -= 3; }, diff --git a/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized b/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized new file mode 100644 index 00000000..34f34755 Binary files /dev/null and b/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized differ diff --git a/lofty/tests/fuzz/wavpackfile_read_from.rs b/lofty/tests/fuzz/wavpackfile_read_from.rs index c2b2376f..fda13860 100644 --- a/lofty/tests/fuzz/wavpackfile_read_from.rs +++ b/lofty/tests/fuzz/wavpackfile_read_from.rs @@ -112,3 +112,11 @@ fn panic4() { ); let _ = WavPackFile::read_from(&mut reader, ParseOptions::default()); } + +#[test_log::test] +fn panic5() { + let mut reader = crate::get_reader( + "wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized", + ); + let _ = WavPackFile::read_from(&mut reader, ParseOptions::default()); +}