WAV: Fix panic on improperly sized INFO LISTs

Serial-ATA · Serial-ATA · commit 2a7c061e74cb · 2024-07-14T15:10:36.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,7 +28,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **MP4**:
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
-  - **WAV**: Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
+  - **WAV**:
+    - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
+    - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))
   - **Vorbis**: Fix panic when reading properties of a file with large absolute granule positions ([issue](https://github.com/Serial-ATA/lofty-rs/issues/421))
   - **FLAC**: Fix panic when reading properties of a file with incorrect block sizes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/422))
   - **AIFF**: Fix panic when reading properties of a file with invalid f80 sample rate ([issue](https://github.com/Serial-ATA/lofty-rs/issues/424))
diff --git a/lofty/src/iff/wav/read.rs b/lofty/src/iff/wav/read.rs
@@ -5,7 +5,7 @@ use crate::config::ParseOptions;
 use crate::error::Result;
 use crate::id3::v2::tag::Id3v2Tag;
 use crate::iff::chunk::Chunks;
-use crate::macros::decode_err;
+use crate::macros::{decode_err, err};
 
 use std::io::{Read, Seek, SeekFrom};
 
@@ -74,12 +74,25 @@ where
 				chunks.skip(data)?;
 			},
 			b"LIST" => {
+				let mut size = chunks.size;
+				if size < 4 {
+					decode_err!(@BAIL Wav, "Invalid LIST chunk size");
+				}
+
 				let mut list_type = [0; 4];
 				data.read_exact(&mut list_type)?;
 
+				size -= 4;
+
 				match &list_type {
 					b"INFO" if parse_options.read_tags => {
-						let end = data.stream_position()? + u64::from(chunks.size - 4);
+						// TODO: We already get the current position above, just keep it up to date and use it here
+						//       to avoid the seeks.
+						let end = data.stream_position()? + u64::from(size);
+						if end > file_len {
+							err!(SizeMismatch);
+						}
+
 						super::tag::read::parse_riff_info(data, &mut chunks, end, &mut riff_info)?;
 					},
 					_ => {
diff --git a/lofty/tests/fuzz/assets/wavfile_read_from/2_IDX_63_RAND_104275228651573584855676.wav b/lofty/tests/fuzz/assets/wavfile_read_from/2_IDX_63_RAND_104275228651573584855676.wav
diff --git a/lofty/tests/fuzz/wavfile_read_from.rs b/lofty/tests/fuzz/wavfile_read_from.rs
@@ -14,3 +14,10 @@ fn panic1() {
 		crate::get_reader("wavfile_read_from/2_IDX_0_RAND_85629492689553753214598.wav");
 	let _ = WavFile::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic2() {
+	let mut reader =
+		crate::get_reader("wavfile_read_from/2_IDX_63_RAND_104275228651573584855676.wav");
+	let _ = WavFile::read_from(&mut reader, ParseOptions::new());
+}
