Address infinite loops while reading ID3v2 tags. (#48)

LorenVS · Loren Van Spronsen · web-flow · commit f98c564dc106 · 2025-04-06T12:51:38.000-04:00
The `Buffer.read()` call will infinitely loop if the number of bytes
remaining in the file is less than the requested size. A large number of
`read()` calls in `ID3v2Parser` are at risk of infinitely looping on
malformed files. I'm changing `Buffer` to throw an exception when it
detects there are no more bytes to read from the file.

There is a more egregious case with the potential `Xing` header. The
parser blindly reads 1500 bytes to search for the header, but there is
no guarantee (even in a well-formed file) that there will be 1500 more
bytes remaining to be read. I'm introducing a `readAtMost` method to
`Buffer` which will handle cases where there are fewer than `size` bytes
remaining in the file.

I'm also updating some of the logic which is checking for the start of
the `Xing` header to be safer, checking to ensure that there are enough
bytes remaining to parse the data from this header.

Co-authored-by: Loren Van Spronsen &lt;lorenvs@google.com&gt;
diff --git a/lib/src/parsers/id3v2.dart b/lib/src/parsers/id3v2.dart
@@ -246,15 +246,16 @@ class ID3v2Parser extends TagParser {
       metadata.bitrate = _getBitrate(mpegVersion, mpegLayer, bitrateIndex);
 
       // arbitrary choice.  Usually the `Xing` header is located after ~30 bytes
-      // then the header size is about ~150 bytes
-      final possibleXingHeader = buffer.read(1500);
+      // then the header size is about ~150 bytes.
+      final possibleXingHeader = buffer.readAtMost(1500);
 
       int i = 0;
-      while (possibleXingHeader[i] == 0) {
+      while (i < possibleXingHeader.length && possibleXingHeader[i] == 0) {
         i++;
       }
 
-      if (possibleXingHeader[i] == 0x58 &&
+      if ((i < possibleXingHeader.length - 11) &&
+          possibleXingHeader[i] == 0x58 &&
           possibleXingHeader[i + 1] == 0X69 &&
           possibleXingHeader[i + 2] == 0x6E &&
           possibleXingHeader[i + 3] == 0x67) {
diff --git a/lib/src/utils/buffer.dart b/lib/src/utils/buffer.dart
@@ -1,13 +1,21 @@
 import 'dart:io';
+import 'dart:math';
 import 'dart:typed_data';
 
+import '../../audio_metadata_reader.dart';
+
 class Buffer {
   final RandomAccessFile randomAccessFile;
   final Uint8List _buffer;
   int _cursor = 0;
   int _bufferedBytes = 0; // Track how many bytes are actually in the buffer
   static final int _bufferSize = 16384;
 
+  /// The number of bytes remaining to be read from the file.
+  int get remainingBytes =>
+      (_bufferedBytes - _cursor) +
+      (randomAccessFile.lengthSync() - randomAccessFile.positionSync());
+
   Buffer({required this.randomAccessFile}) : _buffer = Uint8List(_bufferSize) {
     _fill();
   }
@@ -17,6 +25,19 @@ class Buffer {
     _cursor = 0;
   }
 
+  /// Throws a [MetadataParserException] if a previous call to [_fill]
+  /// was unable to read any data from the file.
+  ///
+  /// Once the end of the file is reached, subsequent reads from
+  /// [RandomAccessFile] will read 0 bytes without failing. This
+  /// can cause [read] below to infinite loop.
+  void _throwOnNoData() {
+    if (_bufferedBytes == 0) {
+      throw MetadataParserException(
+          track: File(""), message: "Expected more data in file");
+    }
+  }
+
   Uint8List read(int size) {
     // if we read something big (~100kb), we can read it directly from file
     // it makes the read faster
@@ -61,12 +82,24 @@ class Buffer {
         // Fill buffer again if more data is needed
         if (filled < size) {
           _fill();
+          // Avoid infinite loops if we are trying to read
+          // more data than there is left in the file.
+          _throwOnNoData();
         }
       }
       return result;
     }
   }
 
+  /// Reads at most [size] bytes from the file.
+  ///
+  /// May return a smaller list if [remainingBytes] is
+  /// less than [size].
+  Uint8List readAtMost(int size) {
+    final readSize = min(size, remainingBytes);
+    return read(readSize);
+  }
+
   void setPositionSync(int position) {
     randomAccessFile.setPositionSync(position);
     _fill();
diff --git a/test/mp3/caress-your-soul-cleaned-truncated.mp3 b/test/mp3/caress-your-soul-cleaned-truncated.mp3
diff --git a/test/mp3/mp3_parser_test.dart b/test/mp3/mp3_parser_test.dart
@@ -46,4 +46,18 @@ void main() {
     expect(result.duration, Duration(minutes: 3, seconds: 22));
     expect(result.sampleRate, 44100);
   });
+
+  test("Parses from truncated mp3 file", () {
+    // The caress-your-soul-truncated-cleaned.mp3 file is truncated
+    // immediately before the Xing header. We should still be able
+    // to read the ID3 tag data.
+    final track = File("./test/mp3/caress-your-soul-cleaned-truncated.mp3");
+    final result = readMetadata(track, getImage: false);
+    expect(result.pictures.length, 0);
+    expect(result.album, "Caress Your Soul");
+    expect(result.title, "How to Fly");
+    expect(result.artist, "Sticky Fingers");
+    expect(result.year, DateTime(2013));
+    expect(result.sampleRate, 44100);
+  });
 }
