WV: Add extra length check for wrong sized large blocks

Serial-ATA · Nov 2, 2024 · 440cae8 · 440cae8
1 parent 7fa146b
commit 440cae8
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/lofty/src/wavpack/properties.rs b/lofty/src/wavpack/properties.rs
@@ -224,7 +224,7 @@ where
 		log::warn!("Unable to calculate duration, unknown sample counts are not yet supported");
 		return Ok(properties);
 	}
-	
+
 	if total_samples == 0 || properties.sample_rate == 0 {
 		if parse_mode == ParsingMode::Strict {
 			decode_err!(@BAIL WavPack, "Unable to calculate duration (sample count == 0 || sample rate == 0)")
@@ -317,6 +317,10 @@ fn get_extended_meta_info(
 
 		let is_large = id & ID_FLAG_LARGE_SIZE > 0;
 		if is_large {
+			if block_size - index < 2 {
+				break;
+			}
+
 			size += u32::from(block_content[index]) << 9;
 			size += u32::from(block_content[index + 1]) << 17;
 			index += 2;

diff --git a/...uzz/assets/wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized b/...uzz/assets/wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized
diff --git a/lofty/tests/fuzz/wavpackfile_read_from.rs b/lofty/tests/fuzz/wavpackfile_read_from.rs
@@ -96,3 +96,11 @@ fn panic2() {
 	let mut reader = crate::get_reader("wavpackfile_read_from/bb");
 	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
 }
+
+#[test_log::test]
+fn panic3() {
+	let mut reader = crate::get_reader(
+		"wavpackfile_read_from/crash-c6f0765886234e3a25b182f01bc3f92880188f5b_minimized",
+	);
+	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
+}