fix(audio): guard EXTENSIBLE fmt OOB read on truncated buffer; document padded-container gap

This commit is contained in:
daniel-c-harvey
2026-06-10 15:24:31 -04:00
parent 88ac5b2c88
commit 6c602170a9
@@ -174,6 +174,11 @@ public class AudioProcessor
return new WavValidationResult { IsValid = false, ErrorMessage = "Invalid data: EXTENSIBLE fmt chunk too small" };
}
if (fmtChunkPos + 8 + 40 > buffer.Length)
{
return new WavValidationResult { IsValid = false, ErrorMessage = "Invalid data: EXTENSIBLE fmt chunk extends past end of file" };
}
// SubFormat GUID begins 24 bytes into the fmt chunk data (fmtChunkPos + 8 + 24). Its
// first two bytes are the little-endian format tag; 0x0001 == WAVE_FORMAT_PCM.
var subFormatPos = fmtChunkPos + 8 + 24;
@@ -220,6 +225,9 @@ public class AudioProcessor
// For EXTENSIBLE the offset-22 field is the container width; the true sample depth lives in
// wValidBitsPerSample (fmtChunkPos + 8 + 18). They usually match (Bandcamp 24-bit = 24/24)
// but the valid bits are authoritative for the normalized header and metadata.
// Note: padded-container EXTENSIBLE (e.g. 24-bit valid in a 32-bit container) is not yet
// supported — the mismatched BlockAlign will cause ValidateAudioParameters to throw and fall
// back to defaults. This is an accepted gap as of this fix.
if (validation.IsExtensible)
{
bitsPerSample = BitConverter.ToUInt16(buffer, validation.FmtChunkPos + 8 + 18);