search

mackron / dr_libs

Audio decoding libraries for C/C++, each in a single source file.
Other
1.28k stars 205 forks source link

SIGSEGV when reading WAV metadata #247

Closed dwuertz closed 1 year ago

dwuertz commented 1 year ago

dr_wav.h chokes on certain WAV files, resulting in segfault.

#define DR_WAV_IMPLEMENTATION
#include "dr_wav.h"

int main()
{
    drwav wav;
    drwav_init_file_with_metadata(&wav, "test.wav", 0, NULL);
    return 0;
}

Program received signal SIGSEGV, Segmentation fault.
0x00005555555561b9 in drwav__read_smpl_to_metadata_obj (pParser=0x7fffffffe110, pChunkHeader=0x7fffffffe160, pMetadata=
0x0) at /home/dude/dr_wav_bug/dr_wav.h:2198
2198            pMetadata->type                                     = drwav_metadata_type_smpl;
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555561a7 drwav__read_smpl_to_metadata_obj+196 cmpq   $0x24,-0x68(%rbp)
0x00005555555561ac drwav__read_smpl_to_metadata_obj+201 jne    0x55555555653e <drwav__read_smpl_to_metadata_obj+1115>
0x00005555555561b2 drwav__read_smpl_to_metadata_obj+207 mov    -0x98(%rbp),%rax
0x00005555555561b9 drwav__read_smpl_to_metadata_obj+214 movl   $0x2,(%rax)
0x00005555555561bf drwav__read_smpl_to_metadata_obj+220 lea    -0x40(%rbp),%rax
0x00005555555561c3 drwav__read_smpl_to_metadata_obj+224 mov    %rax,%rdi
0x00005555555561c6 drwav__read_smpl_to_metadata_obj+227 call   0x555555565d00 <drwav_bytes_to_u32>
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────
   rax 0x0000000000000000        rbx 0x00007fffffffe558        rcx 0x0000000000000001        rdx 0x0000000000000024    
   rsi 0x000055555556c494        rdi 0x000055555556c380        rbp 0x00007fffffffde90        rsp 0x00007fffffffddf0    
    r8 0x0000000000000c00         r9 0x00007fffffffe180        r10 0x0000000000000003        r11 0x0000000000000246    
   r12 0x0000000000000000        r13 0x00007fffffffe568        r14 0x000055555556add8        r15 0x00007ffff7ffd000    
   rip 0x00005555555561b9     eflags [ PF ZF IF RF ]            cs 0x00000033                 ss 0x0000002b            
    ds 0x00000000                 es 0x00000000                 fs 0x00000000                 gs 0x00000000            
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────
2193     DRWAV_ASSERT(pChunkHeader != NULL);
2194 
2195     if (bytesJustRead == sizeof(smplHeaderData)) {
2196         drwav_uint32 iSampleLoop;
2197 
2198         pMetadata->type                                     = drwav_metadata_type_smpl;
2199         pMetadata->data.smpl.manufacturerId                 = drwav_bytes_to_u32(smplHeaderData + 0);
2200         pMetadata->data.smpl.productId                      = drwav_bytes_to_u32(smplHeaderData + 4);
2201         pMetadata->data.smpl.samplePeriodNanoseconds        = drwav_bytes_to_u32(smplHeaderData + 8);
2202         pMetadata->data.smpl.midiUnityNote                  = drwav_bytes_to_u32(smplHeaderData + 12);
2203         pMetadata->data.smpl.midiPitchFraction              = drwav_bytes_to_u32(smplHeaderData + 16);
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x00005555555561b9 in drwav__read_smpl_to_metadata_obj+214 at /home/dude/dr_wav_bug/dr_wav.h:2198
arg pParser = 0x7fffffffe110
arg pChunkHeader = 0x7fffffffe160
arg pMetadata = 0x0
[1] from 0x0000555555557e99 in drwav__metadata_process_chunk+610 at /home/dude/dr_wav_bug/dr_wav.h:2738
arg pParser = 0x7fffffffe110
arg pChunkHeader = 0x7fffffffe160
arg allowedMetadataTypes = drwav_metadata_type_all_including_unknown
[+]

Obviously, the problem is that it tries to access pMetadata which for whatever reason is NULL.

Here is the test.wav used to reproduce the crash (looks like I cannot attach files):

┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 52 49 46 46 d4 7d 02 00 ┊ 57 41 56 45 66 6d 74 20 │RIFF×}•⋄┊WAVEfmt │
│00000010│ 12 00 00 00 01 00 02 00 ┊ 44 ac 00 00 10 b1 02 00 │•⋄⋄⋄•⋄•⋄┊D×⋄⋄•×•⋄│
│00000020│ 04 00 10 00 00 00 66 61 ┊ 63 74 04 00 00 00 53 9f │•⋄•⋄⋄⋄fa┊ct•⋄⋄⋄S×│
│00000030│ 00 00 73 6d 70 6c 4e 00 ┊ 00 00 47 00 00 01 5e 00 │⋄⋄smplN⋄┊⋄⋄G⋄⋄•^⋄│
│00000040│ 00 00 93 58 00 00 39 00 ┊ 00 00 00 00 00 00 00 00 │⋄⋄×X⋄⋄9⋄┊⋄⋄⋄⋄⋄⋄⋄⋄│
│00000050│ 00 00 00 00 00 00 00 00 ┊ 00 00 12 00 00 00 6c 6f │⋄⋄⋄⋄⋄⋄⋄⋄┊⋄⋄•⋄⋄⋄lo│
│00000060│ 6f 70 00 00 00 00 01 00 ┊ 00 00 43 9f 00 00 00 00 │op⋄⋄⋄⋄•⋄┊⋄⋄C×⋄⋄⋄⋄│
│00000070│ 00 00 00 00 00 00 02 00 ┊ 39 00 00 00 00 00 00 01 │⋄⋄⋄⋄⋄⋄•⋄┊9⋄⋄⋄⋄⋄⋄•│
│00000080│ 00 00 00 00 52 9f 00 00 ┊ 64 61 74 61 4c 7d 02 00 │⋄⋄⋄⋄R×⋄⋄┊dataL}•⋄│
│00000090│ 00 00 00 00 00 00 00 00 ┊ 00 00 00 00 00 00 00 00 │⋄⋄⋄⋄⋄⋄⋄⋄┊⋄⋄⋄⋄⋄⋄⋄⋄│
│*       │                         ┊                         │        ┊        │
│00027dd0│ 00 00 00 00 00 00 00 00 ┊ 00 00 00 00             │⋄⋄⋄⋄⋄⋄⋄⋄┊⋄⋄⋄⋄    │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
mackron commented 1 year ago

Thanks for the report. Are you able to email the file to me?

dwuertz commented 1 year ago

Thanks for looking into it!

Am Montag, dem 19.12.2022 um 13:46 -0800 schrieb David Reid:

Thanks for the report. Are you able to email the file to me? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

mackron commented 1 year ago

Did you send me an email with the file? I didn't get anything.

dwuertz commented 1 year ago

Did you send me an email with the file? I didn't get anything.

Sorry, didn't send to the correct mail address in my original reply. I just sent it again

mackron commented 1 year ago

Thanks. I got your test file. Is the metadata well-formed in this file? The parsing logic in dr_wav is indicating that the size of the chunk is invalid. I've fixed the crash, but if you're expecting dr_wav to properly handle that particular piece of metadata it won't work.

The fix for the crash is in the dev branch.

mackron commented 1 year ago

This fix was released in version 0.13.8.