Fix misc. bugs found by libfuzzer.

* Fix out-of-bounds reads in the DSMI AMF loader caused by missing
  order list bounds checks.
* Fix out-of-bounds reads in the FAR loader caused by not correctly
  bounding the maximum pattern read size.
* Fix out-of-bounds reads in the IT sample decompressors caused by
  allowing ITReadBits to read past the end of the sample buffer.
* Fix out-of-bounds reads in the MED loader caused by the MMD2PLAYSEQ
  table bounds check not including the size of the offset being read.
* Fix out-of-bounds reads in the MIDI loader caused by no bounds
  checks being performed on the mmread* and mid_read* functions.
* Fix leaks in the MIDI loader caused by not freeing MIDTRACKs.
* Fix leak and hangs in the MIDI loader caused by not releasing the
  MIDI structs and reentry flag when m_nChannels is 0.
* Fix out-of-bounds reads in the OKT loader caused by numerous bounds
  checks not correctly including the size of the data being read.
* Fix out-of-bounds reads in the PSM loader caused by dereferencing
  (PSMCHUNK *)lpStream before any bounds checks.
* Fix out-of-bounds reads in the S3M loader due to various absent
  bounds checks.
* Fix out-of-bounds reads in the ULT loader due to incorrect event
  bounding.
* Fix out-of-bounds reads in the XM loader due to not including the
  size of XMSAMPLEHEADER in the XMSAMPLEHEADER bounds check.
* Fix potential slowdown in ABC loader caused by sign extending in
  mmfgets instead of iterating on an unsigned int.

Author: AliceLR

src/load_abc.cpp

@@ -479,8 +479,9 @@ static int mmfgetc(MMFILE *mmfile)
 
 static void mmfgets(char buf[], unsigned int bufsz, MMFILE *mmfile)
 {
-	int i,b;
-	for( i=0; i<(int)bufsz-1; i++ ) {
+	unsigned int i;
+	int b;
+	for( i=0; bufsz && i<bufsz-1; i++ ) {
 		b = mmfgetc(mmfile);
 		if( b==EOF ) break;
 		buf[i] = b;

src/load_amf.cpp

@@ -317,8 +317,12 @@ BOOL CSoundFile::ReadAMF(LPCBYTE lpStream, const DWORD dwMemLength)
 			PatternSize[iOrd] = 64;
 			if (pfh->version >= 14)
 			{
+				if (dwMemPos + m_nChannels * sizeof(USHORT) + 2 > dwMemLength) return FALSE;
 				PatternSize[iOrd] = bswapLE16(*(USHORT *)(lpStream+dwMemPos));
 				dwMemPos += 2;
+			} else
+			{
+				if (dwMemPos + m_nChannels * sizeof(USHORT) > dwMemLength) return FALSE;
 			}
 			ptracks[iOrd] = (USHORT *)(lpStream+dwMemPos);
 			dwMemPos += m_nChannels * sizeof(USHORT);

src/load_far.cpp

@@ -139,7 +139,7 @@ BOOL CSoundFile::ReadFAR(const BYTE *lpStream, DWORD dwMemLength)
 		UINT patbrk = lpStream[dwMemPos];
 		const BYTE *p = lpStream + dwMemPos + 2;
 		UINT max = rows*16*4;
-		if (max > patlen-2) max = patlen-2;
+		if (max > ((patlen-2) & ~3)) max = ((patlen-2) & ~3);
 		for (UINT len=0; len<max; len += 4, m++)
 		{
 			BYTE note = p[len];

src/load_it.cpp

@@ -1182,7 +1182,7 @@ BOOL CSoundFile::SaveIT(LPCSTR lpszFileName, UINT nPacking)
 //////////////////////////////////////////////////////////////////////////////
 // IT 2.14 compression
 
-DWORD ITReadBits(DWORD &bitbuf, UINT &bitnum, LPBYTE &ibuf, CHAR n)
+DWORD ITReadBits(DWORD &bitbuf, UINT &bitnum, LPBYTE &ibuf, LPBYTE ibufend, CHAR n)
 //-----------------------------------------------------------------
 {
 	DWORD retval = 0;
@@ -1198,6 +1198,9 @@ DWORD ITReadBits(DWORD &bitbuf, UINT &bitnum, LPBYTE &ibuf, CHAR n)
 		{
 			if (!bitnum)
 			{
+				if (ibuf >= ibufend)
+					return 0;
+
 				bitbuf = *ibuf++;
 				bitnum = 8;
 			}
@@ -1218,6 +1221,7 @@ void ITUnpack8Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dwM
 {
 	signed char *pDst = pSample;
 	LPBYTE pSrc = lpMemFile;
+	LPBYTE pStop = lpMemFile + dwMemLength;
 	DWORD wHdr = 0;
 	DWORD wCount = 0;
 	DWORD bitbuf = 0;
@@ -1241,13 +1245,13 @@ void ITUnpack8Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dwM
 		DWORD dwPos = 0;
 		do
 		{
-			WORD wBits = (WORD)ITReadBits(bitbuf, bitnum, pSrc, bLeft);
+			WORD wBits = (WORD)ITReadBits(bitbuf, bitnum, pSrc, pStop, bLeft);
 			if (bLeft < 7)
 			{
 				DWORD i = 1 << (bLeft-1);
 				DWORD j = wBits & 0xFFFF;
 				if (i != j) goto UnpackByte;
-				wBits = (WORD)(ITReadBits(bitbuf, bitnum, pSrc, 3) + 1) & 0xFF;
+				wBits = (WORD)(ITReadBits(bitbuf, bitnum, pSrc, pStop, 3) + 1) & 0xFF;
 				bLeft = ((BYTE)wBits < bLeft) ? (BYTE)wBits : (BYTE)((wBits+1) & 0xFF);
 				goto Next;
 			}
@@ -1285,7 +1289,7 @@ void ITUnpack8Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dwM
 		SkipByte:
 			dwPos++;
 		Next:
-			if (pSrc >= lpMemFile+dwMemLength+1) return;
+			if (pSrc >= pStop + 1) return;
 		} while (dwPos < d);
 		// Move On
 		wCount -= d;
@@ -1300,6 +1304,7 @@ void ITUnpack16Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dw
 {
 	signed short *pDst = (signed short *)pSample;
 	LPBYTE pSrc = lpMemFile;
+	LPBYTE pStop = lpMemFile + dwMemLength;
 	DWORD wHdr = 0;
 	DWORD wCount = 0;
 	DWORD bitbuf = 0;
@@ -1324,13 +1329,13 @@ void ITUnpack16Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dw
 		DWORD dwPos = 0;
 		do
 		{
-			DWORD dwBits = ITReadBits(bitbuf, bitnum, pSrc, bLeft);
+			DWORD dwBits = ITReadBits(bitbuf, bitnum, pSrc, pStop, bLeft);
 			if (bLeft < 7)
 			{
 				DWORD i = 1 << (bLeft-1);
 				DWORD j = dwBits;
 				if (i != j) goto UnpackByte;
-				dwBits = ITReadBits(bitbuf, bitnum, pSrc, 4) + 1;
+				dwBits = ITReadBits(bitbuf, bitnum, pSrc, pStop, 4) + 1;
 				bLeft = ((BYTE)(dwBits & 0xFF) < bLeft) ? (BYTE)(dwBits & 0xFF) : (BYTE)((dwBits+1) & 0xFF);
 				goto Next;
 			}
@@ -1368,13 +1373,13 @@ void ITUnpack16Bit(signed char *pSample, DWORD dwLen, LPBYTE lpMemFile, DWORD dw
 		SkipByte:
 			dwPos++;
 		Next:
-			if (pSrc >= lpMemFile+dwMemLength+1) return;
+			if (pSrc >= pStop + 1) return;
 		} while (dwPos < d);
 		// Move On
 		wCount -= d;
 		dwLen -= d;
 		pDst += d;
-		if (pSrc >= lpMemFile+dwMemLength) break;
+		if (pSrc >= pStop) break;
 	}
 }
 

src/load_med.cpp

@@ -662,7 +662,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)
 			}
 			UINT pseq = 0;
 
-			if ((playseqtable) && (playseqtable < dwMemLength) && (nplayseq*4 < dwMemLength - playseqtable))
+			if ((playseqtable) && (playseqtable < dwMemLength) && (nplayseq*4 + 4 < dwMemLength - playseqtable))
 			{
 				pseq = bswapBE32(((LPDWORD)(lpStream+playseqtable))[nplayseq]);
 			}

src/load_mid.cpp

@@ -105,6 +105,7 @@ typedef struct {
 	char *mm;
 	unsigned int sz;
 	int pos;
+	int err;
 } MMFILE;
 
 static void mmfseek(MMFILE *mmfile, long p, int whence)
@@ -130,21 +131,38 @@ static long mmftell(MMFILE *mmfile)
 static BYTE mmreadUBYTE(MMFILE *mmfile)
 {
 	BYTE b;
+	if ((unsigned int)mmfile->pos >= mmfile->sz)
+	{
+		mmfile->err = EOF;
+		return 0;
+	}
 	b = (BYTE)mmfile->mm[mmfile->pos];
 	mmfile->pos++;
 	return b;
 }
 
-static void mmreadUBYTES(BYTE *buf, long sz, MMFILE *mmfile)
+static unsigned long mmreadUBYTES(BYTE *buf, unsigned long sz, MMFILE *mmfile)
 {
+	if ((unsigned long)mmfile->pos + sz >= mmfile->sz)
+	{
+		mmfile->err = EOF;
+		return 0;
+	}
 	memcpy(buf, &mmfile->mm[mmfile->pos], sz);
 	mmfile->pos += sz;
+	return sz;
 }
 
-static void mmreadSBYTES(char *buf, long sz, MMFILE *mmfile)
+static unsigned long mmreadSBYTES(char *buf, long sz, MMFILE *mmfile)
 {
+	if ((unsigned long)mmfile->pos + sz >= mmfile->sz)
+	{
+		mmfile->err = EOF;
+		return 0;
+	}
 	memcpy(buf, &mmfile->mm[mmfile->pos], sz);
 	mmfile->pos += sz;
+	return sz;
 }
 
 /**********************************************************************/
@@ -709,14 +727,15 @@ static void mid_add_pitchwheel(MIDHANDLE *h, int mch, int wheel)
 static uint32_t mid_read_long(MIDHANDLE *h)
 {
 	BYTE buf[4];
-	mmreadUBYTES(buf, 4, h->mmf);
+	if (!mmreadUBYTES(buf, 4, h->mmf)) return -1;
+
 	return (buf[0]<<24)|(buf[1]<<16)|(buf[2]<<8)|buf[3];
 }
 
 static short int mid_read_short(MIDHANDLE *h)
 {
 	BYTE buf[2];
-	mmreadUBYTES(buf, 2, h->mmf);
+	if (!mmreadUBYTES(buf, 2, h->mmf)) return -1;
 	return (buf[0]<<8)|buf[1];
 }
 
@@ -750,6 +769,7 @@ BOOL CSoundFile::TestMID(const BYTE *lpStream, DWORD dwMemLength)
 	MMFILE mm;
 	mm.mm = (char *)lpStream;
 	mm.sz = dwMemLength;
+	mm.err = 0;
 	h.mmf = &mm;
 	if (h.mmf->sz < 4) return FALSE;
 	mmfseek(h.mmf,0,SEEK_SET);
@@ -791,6 +811,7 @@ static void MID_CleanupTracks(MIDHANDLE *handle)
 		for( tp=handle->track; tp; tp = tn ) {
 			tn=tp->next;
 			MID_CleanupTrack(tp);
+			free(tp);
 		}
 		handle->track = NULL;
 	}
@@ -1172,19 +1193,14 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	BYTE *p;
 	while( avoid_reentry ) sleep(1);
 	avoid_reentry = 1;
-	if( !TestMID(lpStream, dwMemLength) ) {
-		avoid_reentry = 0;
-		return FALSE;
-	}
+	if( !TestMID(lpStream, dwMemLength) ) goto ErrorExit;
 	h = MID_Init();
-	if( !h ) {
-		avoid_reentry = 0;
-		return FALSE;
-	}
+	if( !h ) goto ErrorExit;
 	h->mmf = &mm;
 	mm.mm = (char *)lpStream;
 	mm.sz = dwMemLength;
 	mm.pos = 0;
+	mm.err = 0;
 	h->debug = getenv(ENV_MMMID_DEBUG);
 	h->verbose = getenv(ENV_MMMID_VERBOSE);
 	pat_resetsmp();
@@ -1193,6 +1209,8 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	h->midiformat	= mid_read_short(h);
 	h->miditracks = mid_read_short(h);
 	h->resolution = mid_read_short(h);
+	if (mm.err) goto ErrorCleanup;
+
 	// at this point the h->mmf is positioned at first miditrack
 	if( h->midiformat == 0 ) h->miditracks = 1;
 	if( h->resolution & 0x8000 )
@@ -1205,11 +1223,8 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	m_nDefaultTempo = 0;
 	h->tracktime = 0;
 	h->speed = 6;
-	if (h->miditracks == 0) {
-		MID_Cleanup(h);
-		avoid_reentry = 0;
-		return FALSE;
-	}
+	if (h->miditracks == 0) goto ErrorCleanup;
+
 	p = (BYTE *)getenv(ENV_MMMID_SPEED);
 	if( p && isdigit(*p) && p[0] != '0' && p[1] == '\0' ) {
 		// transform speed
@@ -1247,19 +1262,18 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	}
 	for( t=0; t<(uint32_t)h->miditracks; t++ ) {
 		if( h->verbose ) printf("Parsing track %d\n", t+1);
-		mmreadSBYTES(buf,4,h->mmf);
+		if (!mmreadSBYTES(buf,4,h->mmf)) goto ErrorCleanup;
 		buf[4] = '\0';
 		if( strcmp(buf,"MTrk") ) {
 			mid_message("invalid track-chunk '%s' is not 'MTrk'",buf);
-			MID_Cleanup(h);
-			avoid_reentry = 0;
-			return FALSE;
+			goto ErrorCleanup;
 		}
 		miditracklen = mid_read_long(h);
-		if (mm.sz < miditracklen) continue;
+		if (mm.err || mm.sz < miditracklen) continue;
 		runningstatus = 0;
 		if( t && h->midiformat == 1 ) mid_rewind_tracks(h); // tracks sound simultaneously
 		while( miditracklen > 0 ) {
+			if (mm.err) break;
 			miditracklen -= mid_read_delta(h);
 			midibyte[0] = mid_read_byte(h);
 			miditracklen--;
@@ -1378,6 +1392,7 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 								t, (long)(h->tracktime), midibyte[0]);
 							while( midibyte[0] != 0xf7 ) {
 								midibyte[0] = mid_read_byte(h);
+								if (mm.err) break;
 								miditracklen--;
 								if( h->debug ) printf(" %02X", midibyte[0]);
 							}
@@ -1399,6 +1414,7 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 								t, (long)(h->tracktime), metalen);
 							while( metalen > 0 ) {
 								midibyte[1] = mid_read_byte(h);
+								if (mm.err) break;
 								metalen--;
 								miditracklen--;
 								if( h->debug ) printf(" %02X", midibyte[1]);
@@ -1411,13 +1427,14 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 							metalen = h->deltatime;
 							if( metalen > 31 ) metalen = 31;
 							if( metalen ) {
-								mmreadSBYTES(buf, metalen, h->mmf);
+								if (!mmreadSBYTES(buf, metalen, h->mmf)) break;
 								miditracklen -= metalen;
 							}
 							buf[metalen] = '\0';
 							metalen = h->deltatime - metalen;
 							while( metalen > 0 ) {
 								midibyte[1] = mid_read_byte(h);
+								if (mm.err) break;
 								metalen--;
 								miditracklen--;
 							}
@@ -1467,7 +1484,7 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 			}
 			if( miditracklen < 1 && (runningstatus != 0xff || midibyte[0] != 0x2f) ) {
 				delta = mmftell(h->mmf);
-				mmreadSBYTES(buf,4,h->mmf);
+				if (!mmreadSBYTES(buf,4,h->mmf)) break;
 				buf[4] = '\0';
 				if( strcmp(buf,"MTrk") ) {
 					miditracklen = 0x7fffffff;
@@ -1545,15 +1562,13 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	m_dwSongFlags   = SONG_LINEARSLIDES;
 	m_nMinPeriod    = 28 << 2;
 	m_nMaxPeriod    = 1712 << 3;
-	if (m_nChannels == 0)
-		return FALSE;
+	if (m_nChannels == 0) goto ErrorCleanup;
+
 	// orderlist
 	for(t=0; t < numpats; t++)
 		Order[t] = t;
-	if( !PAT_Load_Instruments(this) ) {
-		avoid_reentry = 0;
-		return FALSE;
-	}
+	if( !PAT_Load_Instruments(this) ) goto ErrorCleanup;
+
 	// ==============================
 	// Load the pattern info now!
 	if( MID_ReadPatterns(Patterns, PatternSize, h, numpats, m_nChannels) ) {
@@ -1581,4 +1596,10 @@ BOOL CSoundFile::ReadMID(const BYTE *lpStream, DWORD dwMemLength)
 	MID_Cleanup(h);	// we dont need it anymore
 	avoid_reentry = 0; // it is safe now, I'm finished
 	return TRUE;
+
+ErrorCleanup:
+	MID_Cleanup(h);
+ErrorExit:
+	avoid_reentry = 0;
+	return FALSE;
 }