found two panics with go-fuzz from Dmitry Vyukov

go-fuzz-build github.com/cryptix/wav go-fuzz -bin=./wav-fuzz -corpus=./corpus -workdir=~/wdir
cryptix · Apr 30, 2015 · 2f49a0d · 2f49a0d
1 parent 61bc089
commit 2f49a0d
Show file tree

Hide file tree

Showing 10 changed files with 91 additions and 4 deletions.
diff --git a/corpus/16_50samples.wav b/corpus/16_50samples.wav
diff --git a/corpus/16bit.wav b/corpus/16bit.wav
diff --git a/corpus/24_50samples.wav b/corpus/24_50samples.wav
diff --git a/corpus/24bit.wav b/corpus/24bit.wav
diff --git a/corpus/headers_zerosamples.wav b/corpus/headers_zerosamples.wav
diff --git a/corpus/u8bit.wav b/corpus/u8bit.wav
diff --git a/errors.go b/errors.go
@@ -10,6 +10,9 @@ var (
 	ErrNotRiff      = errors.New("Not a RIFF file")
 	ErrNotWave      = errors.New("Not a WAVE file")
 
+	ErrBrokenChunkFmt  = errors.New("could not decode chunkFmt")
+	ErrNoBitsPerSample = errors.New("could not decode chunkFmt")
+
 	ErrFormatNotSupported = errors.New("Format not supported - Only uncompressed PCM currently")
 )
 

diff --git a/fuzz.go b/fuzz.go
@@ -0,0 +1,28 @@
+// +build gofuzz
+
+package wav
+
+import (
+	"bytes"
+	"io"
+)
+
+func Fuzz(data []byte) int {
+	rd, err := NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		if rd != nil {
+			panic("rd != nil on error")
+		}
+		return 0
+	}
+	for {
+		_, err = rd.ReadSample()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return 0
+		}
+	}
+	return 1
+}
diff --git a/reader.go b/reader.go
@@ -130,12 +130,16 @@ readLoop:
 		}
 	}
 
-	// Is audio supported ?
-	if wav.chunkFmt.AudioFormat != 1 {
-		return ErrFormatNotSupported
+	if wav.chunkFmt == nil {
+		return ErrBrokenChunkFmt
 	}
 
 	wav.bytesPerSample = uint32(wav.chunkFmt.BitsPerSample / 8)
+
+	if wav.bytesPerSample == 0 {
+		return ErrNoBitsPerSample
+	}
+
 	wav.numSamples = wav.dataBlocSize / wav.bytesPerSample
 	wav.duration = time.Duration(float64(wav.numSamples)/float64(wav.chunkFmt.SampleRate)) * time.Second
 
@@ -144,7 +148,7 @@ readLoop:
 
 // parseChunkFmt
 func (wav *Reader) parseChunkFmt() (err error) {
-	wav.chunkFmt = &riffChunkFmt{}
+	wav.chunkFmt = new(riffChunkFmt)
 
 	if err = binary.Read(wav.input, binary.LittleEndian, wav.chunkFmt); err != nil {
 		return err
@@ -162,6 +166,11 @@ func (wav *Reader) parseChunkFmt() (err error) {
 		}
 	}
 
+	// Is audio supported ?
+	if wav.chunkFmt.AudioFormat != 1 {
+		return ErrFormatNotSupported
+	}
+
 	return nil
 }
 

diff --git a/reader_test.go b/reader_test.go
@@ -3,6 +3,7 @@ package wav
 import (
 	"bytes"
 	"io"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -194,3 +195,49 @@ func TestReadSample(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(t, 257, sample)
 }
+
+// panic: runtime error: invalid memory address or nil pointer dereference
+// [signal 0xb code=0x1 addr=0x4 pc=0x4399fb]
+//
+// goroutine 1 [running]:
+// github.com/cryptix/wav.(*Reader).parseHeaders(0xc208033720, 0x0, 0x0)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/reader.go:191 +0xe3b
+// github.com/cryptix/wav.NewReader(0x7f23a9550bd8, 0xc208037c80, 0x2d, 0xc208033720, 0x0, 0x0)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/reader.go:64 +0x177
+// github.com/cryptix/wav.Fuzz(0x7f23a92cf000, 0x2d, 0x100000, 0x2)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/fuzz.go:12 +0x167
+// github.com/dvyukov/go-fuzz/go-fuzz-dep.Main(0x570c60, 0x5d4200, 0x5f6, 0x5f6)
+// 	/home/cryptix/go/src/github.com/dvyukov/go-fuzz/go-fuzz-dep/main.go:64 +0x309
+// main.main()
+// 	/tmp/go-fuzz-build857960013/src/go-fuzz-main/main.go:10 +0x4e
+// exit status 2
+func TestReadFuzzed_panic1(t *testing.T) {
+	t.Parallel()
+	wavFile := strings.NewReader("RIFF%\x00\x00\x00WAVE0000\x10\x00\x00\x000000000000000000data00000")
+	_, err := NewReader(wavFile, int64(wavFile.Len()))
+	assert.NotNil(t, err)
+	assert.Equal(t, ErrBrokenChunkFmt, err)
+}
+
+// panic: runtime error: integer divide by zero
+// [signal 0x8 code=0x1 addr=0x439ae9 pc=0x439ae9]
+//
+// goroutine 1 [running]:
+// github.com/cryptix/wav.(*Reader).parseHeaders(0xc208032cd0, 0x0, 0x0)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/reader.go:200 +0xf29
+// github.com/cryptix/wav.NewReader(0x7fbca32b6bd8, 0xc208037ef0, 0x2d, 0xc208032cd0, 0x0, 0x0)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/reader.go:64 +0x177
+// github.com/cryptix/wav.Fuzz(0x7fbca3035000, 0x2d, 0x100000, 0x2)
+// 	/tmp/go-fuzz-build857960013/src/github.com/cryptix/wav/fuzz.go:12 +0x167
+// github.com/dvyukov/go-fuzz/go-fuzz-dep.Main(0x570c60, 0x5d4200, 0x5f6, 0x5f6)
+// 	/home/cryptix/go/src/github.com/dvyukov/go-fuzz/go-fuzz-dep/main.go:64 +0x309
+// main.main()
+// 	/tmp/go-fuzz-build857960013/src/go-fuzz-main/main.go:10 +0x4e
+// exit status 2
+func TestReadFuzzed_panic2(t *testing.T) {
+	t.Parallel()
+	wavFile := strings.NewReader("RIFF%\x00\x00\x00WAVEfmt \x10\x00\x00\x00\x01\x00000000000000\a\x00data00000")
+	_, err := NewReader(wavFile, int64(wavFile.Len()))
+	assert.NotNil(t, err)
+	assert.Equal(t, ErrBrokenChunkFmt, err)
+}