Uninitialized Read (and Divide by Zero) in ParseWave64HeaderConfig() #68
Description
uninit-divzero-waveheader.wav.zip - contains fuzzed input
The parsing of the attached file uninit-divzero-waveheader.wav leads to a read of an uninitialized location in memory. The uninitialized read sometimes further leads to a divide-by-zero error. The uninitialized read can be uncovered using a tool such as Valgrind or MemorySanitizer. For example:
$ valgrind ./cli/wavpack uninit-divzero-waveheader.wav
==3921== Memcheck, a memory error detector
==3921== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3921== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==3921== Command: ./cli/wavpack uninit-divzero-waveheader.wav
==3921==
WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0
Copyright (c) 1998 - 2019 David Bryant. All Rights Reserved.
creating uninit-divzero-waveheader.wv,==3921== Conditional jump or move depends on uninitialised value(s)
==3921== at 0x41016B: ParseWave64HeaderConfig (wave64.c:211)
==3921== by 0x408A94: pack_file (wavpack.c:1777)
==3921== by 0x404AE2: main (wavpack.c:1273)
==3921==
==3921==
==3921== Process terminating with default action of signal 8 (SIGFPE)
==3921== Integer divide by zero at address 0x1002D83DC5
==3921== at 0x410214: ParseWave64HeaderConfig (wave64.c:220)
==3921== by 0x408A94: pack_file (wavpack.c:1777)
==3921== by 0x404AE2: main (wavpack.c:1273)
==3921==
It appears that this is an uninitialized read of the field WaveHeader.NumChannels on this line. This sometimes leads to a subsequent divide by zero on this line -- I guess the division instruction may or may not be executed based on what value is read for WaveHeader.NumChannels.