libmodplug: Fix misc. loader crashes and leaks found by libFuzzer:

Patchset by Alice Rowan: Konstanty/libmodplug#58

* AMF (DSMI): fix out-of-bounds reads caused by missing order list
       bounds checks.
* DBM: fix leaks caused by duplicate instrument chunks being loaded.
* FAR: fix out-of-bounds reads due to not correctly bounding the
       maximum pattern read size.
* IT:  fix out-of-bounds reads in the IT sample decompressors caused
       by allowing ITReadBits to read past the end of the buffer.
* MED: fix out-of-bounds reads due to a faulty MMD2PLAYSEQ bounds check.
* MED: fix out-of-bounds reads due to bad sample bounding.
* MED: fix out-of-bounds reads due to bad block name bounding (and
       potential missing nul terminators).
* OKT: fix out-of-bounds reads due to incorrect OKTSAMPLE bounding.
* OKT: fix out-of-bounds reads due to bad chunk header and order
       list bounding.
* OKT: fix playback errors caused by skipping the first two orders in
       the order list.
* S3M: fix out-of-bounds reads due to missing order list bounds check.
* S3M: fix out-of-bounds reads due to missing offset list bounds check.
* S3M: fix out-of-bounds reads due to missing panning table check.
* STM: fix pattern leaks and pattern size corruption caused by missing
       MAX_PATTERNS check.
* ULT: fix out-of-bounds reads due to incorrect event bounding.
* WAV: fix out-of-bounds reads due to not bounds checking the fmt chunk.
* WAV: fix hangs caused by missing chunk length bounds check.
* WAV: constify pointers derived from lpStream.
* XM:  fix out-of-bounds reads due to broken XMSAMPLEHEADER check.
* XM:  fix out-of-bounds reads due to missing pattern data checks.
* XM:  fix slow loads caused by bad bounding in instrument/sample
       loops, add other various missing bounds checks.

- Fix AMS loader crash and slow load bugs found by libFuzzer:

* AMS: fix AMS out-of-bounds reads due to missing song comments checks.
* AMS: fix AMS out-of-bounds reads due to missing order list check.
* AMS: fix AMS out-of-bounds reads due to missing pattern/track checks.
* AMS: fix AMS2 out-of-bounds reads due to missing/broken instrument
       and envelope bounds checks.
* AMS: fix AMS2 out-of-bounds reads due to missing sample bounds checks.
* AMS: fix ReadSample out-of-bounds reads due to overflow in packed
       size bounds check.
* AMS: fix AMSUnpack out-of-bounds reads due to missing RLE unpacking
       bounds checks.
* AMS: reduce AMSUnpack slow loads by rejecting samples with truncated
       or invalid RLE.
* AMS: reduce AMSUnpack slow loads by shrinking samples if their packed
       size couldn't possibly store them.
* AMS: constify pointers derived from lpStream.

- Fix DMF loader crash/hang/slow load bugs found by libFuzzer:

* DMF: fix faulty bounds checks for INFO, SEQU, and SMPI chunks.
* DMF: add numerous missing bounds checks for patterns and track data.
* DMF: fix out-of-bounds reads caused by missing sample bounds check.
* DMF: fix hangs caused by duplicate PATT chunks.
* DMF: fix sample leaks caused by duplicate SMPD chunks.
* DMF: fix slow loads caused by missing EOF check in DMFUnpack.
* DMF: constify pointers derived from lpStream.

- Fix MDL loader crash bugs found by libFuzzer:

* MDL: fix out-of-bounds reads due to missing info chunk bounds check.
* MDL: fix out-of-bounds reads due to a missing bounds check when
       loading instruments.
* MDL: fix out-of-bounds reads and other bugs due to bad envelope
       bounding and missing duplicate envelope chunk checks.
* MDL: fix out-of-bounds reads due to broken track bounds checks.

- Fix MT2 loader crashes and hangs found by libFuzzer:

* MT2: fix out-of-bounds reads due to missing nDrumDataLen check.
* MT2: fix out-of-bounds reads due to missing pattern/track checks.
* MT2: fix out-of-bounds reads due to broken/nonsensical instrument
       bounds checks.
* MT2: fix out-of-bounds reads due to missing sample data length
       bounds check.
* MT2: fix out-of-bounds reads due to bad checks on group structs.
* MT2: fix hangs caused by overflows preventing the data chunk size
       bounds check from working.
* MT2: constify pattern data pointer derived from lpStream.

- Fix PSM loader crash bugs found by libFuzzer:

* PSM: fix out-of-bounds reads due to dereferencing lpStream before
       any bounds checks.
* PSM: fix out-of-bounds reads due to reading pPsmPat.data from the
       stack instead of the input buffer.
* PSM: fix out-of-bounds reads due to invalid samples in patterns.
* PSM: fix missing pattern length byte-swapping.
* PSM: constify pattern data pointer derived from lpStream.

Author: sezero

src/libmodplug/load_amf.c

@@ -299,8 +299,12 @@ BOOL CSoundFile_ReadAMF(CSoundFile *_this, LPCBYTE lpStream, const DWORD dwMemLe
 			_this->PatternSize[iOrd] = 64;
 			if (pfh->version >= 14)
 			{
+				if (dwMemPos + _this->m_nChannels * sizeof(USHORT) + 2 > dwMemLength) return FALSE;
 				_this->PatternSize[iOrd] = bswapLE16(*(USHORT *)(lpStream+dwMemPos));
 				dwMemPos += 2;
+			} else
+			{
+				if (dwMemPos + _this->m_nChannels * sizeof(USHORT) > dwMemLength) return FALSE;
 			}
 			ptracks[iOrd] = (USHORT *)(lpStream+dwMemPos);
 			dwMemPos += _this->m_nChannels * sizeof(USHORT);

src/libmodplug/load_ams.c

@@ -36,15 +36,16 @@ typedef struct AMSSAMPLEHEADER
 
 #pragma pack()
 
+static BOOL AMSUnpackCheck(const BYTE *lpStream, DWORD dwMemLength, MODINSTRUMENT *ins);
 
 BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 //-----------------------------------------------------------
 {
 //	BYTE pkinf[MAX_SAMPLES];
-	AMSFILEHEADER *pfh = (AMSFILEHEADER *)lpStream;
+	const AMSFILEHEADER *pfh = (AMSFILEHEADER *)lpStream;
 	DWORD dwMemPos;
 	UINT tmp, tmp2;
-	
+
 	if ((!lpStream) || (dwMemLength < 1024)) return FALSE;
 	if ((pfh->verhi != 0x01) || (SDL_strncmp(pfh->szHeader, "Extreme", 7))
 	 || (!pfh->patterns) || (!pfh->orders) || (!pfh->samples) || (pfh->samples >= MAX_SAMPLES)
@@ -60,7 +61,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 	_this->m_nSamples = pfh->samples;
 	for (UINT nSmp=1; nSmp<=_this->m_nSamples; nSmp++, dwMemPos += sizeof(AMSSAMPLEHEADER))
 	{
-		AMSSAMPLEHEADER *psh = (AMSSAMPLEHEADER *)(lpStream + dwMemPos);
+		const AMSSAMPLEHEADER *psh = (AMSSAMPLEHEADER *)(lpStream + dwMemPos);
 		MODINSTRUMENT *pins = &_this->Ins[nSmp];
 		pins->nLength = psh->length;
 		pins->nLoopStart = psh->loopstart;
@@ -106,14 +107,16 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 		dwMemPos += tmp;
 	}
 	// Read Song Comments
+	if (dwMemPos + 2 > dwMemLength) return TRUE;
 	tmp = *((WORD *)(lpStream+dwMemPos));
 	dwMemPos += 2;
-	if (dwMemPos + tmp >= dwMemLength) return TRUE;
+	if (tmp >= dwMemLength || dwMemPos > dwMemLength - tmp) return TRUE;
 	if (tmp)
 	{
 		dwMemPos += tmp;
 	}
 	// Read Order List
+	if (2*pfh->orders >= dwMemLength || dwMemPos > dwMemLength - 2*pfh->orders) return TRUE;
 	for (UINT iOrd=0; iOrd<pfh->orders; iOrd++, dwMemPos += 2)
 	{
 		UINT n = *((WORD *)(lpStream+dwMemPos));
@@ -125,7 +128,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 		if (dwMemPos + 4 >= dwMemLength) return TRUE;
 		UINT len = *((DWORD *)(lpStream + dwMemPos));
 		dwMemPos += 4;
-		if ((len >= dwMemLength) || (dwMemPos + len > dwMemLength)) return TRUE;
+		if ((len >= dwMemLength) || (dwMemPos > dwMemLength - len)) return TRUE;
 		_this->PatternSize[iPat] = 64;
 		MODCOMMAND *m = CSoundFile_AllocatePattern(_this->PatternSize[iPat], _this->m_nChannels);
 		if (!m) return TRUE;
@@ -141,6 +144,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 			// Note+Instr
 			if (!(b0 & 0x40))
 			{
+				if (i+1 > len) break;
 				b2 = p[i++];
 				if (ch < _this->m_nChannels)
 				{
@@ -149,6 +153,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 				}
 				if (b1 & 0x80)
 				{
+					if (i+1 > len) break;
 					b0 |= 0x40;
 					b1 = p[i++];
 				}
@@ -166,6 +171,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 					}
 				} else
 				{
+					if (i+1 > len) break;
 					b2 = p[i++];
 					if (ch < _this->m_nChannels)
 					{
@@ -208,6 +214,7 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 				}
 				if (b1 & 0x80)
 				{
+					if (i+1 > len) break;
 					b1 = p[i++];
 					if (i <= len) goto anothercommand;
 				}
@@ -225,7 +232,8 @@ BOOL CSoundFile_ReadAMS(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 	{
 		if (dwMemPos >= dwMemLength - 9) return TRUE;
 		UINT flags = (_this->Ins[iSmp].uFlags & CHN_16BIT) ? RS_AMS16 : RS_AMS8;
-		dwMemPos += CSoundFile_ReadSample(_this, &_this->Ins[iSmp], flags, (LPSTR)(lpStream+dwMemPos), dwMemLength-dwMemPos);
+		if (!AMSUnpackCheck(lpStream+dwMemPos, dwMemLength-dwMemPos, &_this->Ins[iSmp])) break;
+		dwMemPos += CSoundFile_ReadSample(_this, &_this->Ins[iSmp], flags, (LPCSTR)(lpStream+dwMemPos), dwMemLength-dwMemPos);
 	}
 	return TRUE;
 }
@@ -288,15 +296,14 @@ typedef struct AMS2SAMPLE
 	BYTE flags;
 } AMS2SAMPLE;
 
-
 #pragma pack()
 
 
 BOOL CSoundFile_ReadAMS2(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 //------------------------------------------------------------
 {
 	const AMS2FILEHEADER *pfh = (AMS2FILEHEADER *)lpStream;
-	AMS2SONGHEADER *psh;
+	const AMS2SONGHEADER *psh;
 	DWORD dwMemPos;
 	BYTE smpmap[16];
 	BYTE packedsamples[MAX_SAMPLES];
@@ -317,18 +324,22 @@ BOOL CSoundFile_ReadAMS2(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 	if (psh->flags & 0x40) _this->m_dwSongFlags |= SONG_LINEARSLIDES;
 	for (UINT nIns=1; nIns<=_this->m_nInstruments; nIns++)
 	{
+		if (dwMemPos >= dwMemLength) return TRUE;
 		const UINT insnamelen = lpStream[dwMemPos];
 		dwMemPos += insnamelen + 1;
-		AMS2INSTRUMENT *pins = (AMS2INSTRUMENT *)(lpStream + dwMemPos);
+		const AMS2INSTRUMENT *pins = (AMS2INSTRUMENT *)(lpStream + dwMemPos);
 		dwMemPos += sizeof(AMS2INSTRUMENT);
-		if (dwMemPos + 1024 >= dwMemLength) return TRUE;
-		AMS2ENVELOPE *volenv, *panenv, *pitchenv;
+		const AMS2ENVELOPE *volenv, *panenv, *pitchenv;
+		if (dwMemPos + sizeof(AMS2ENVELOPE) > dwMemLength) return TRUE;
 		volenv = (AMS2ENVELOPE *)(lpStream+dwMemPos);
 		dwMemPos += 5 + volenv->points*3;
+		if (dwMemPos + sizeof(AMS2ENVELOPE) > dwMemLength) return TRUE;
 		panenv = (AMS2ENVELOPE *)(lpStream+dwMemPos);
 		dwMemPos += 5 + panenv->points*3;
+		if (dwMemPos + sizeof(AMS2ENVELOPE) > dwMemLength) return TRUE;
 		pitchenv = (AMS2ENVELOPE *)(lpStream+dwMemPos);
 		dwMemPos += 5 + pitchenv->points*3;
+		if (dwMemPos >= dwMemLength) return TRUE;
 		INSTRUMENTHEADER *penv = (INSTRUMENTHEADER *) SDL_calloc(1, sizeof (INSTRUMENTHEADER));
 		if (!penv) return TRUE;
 		SDL_memset(smpmap, 0, sizeof(smpmap));
@@ -361,6 +372,7 @@ BOOL CSoundFile_ReadAMS2(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 				penv->VolPoints[i] = (WORD)pos;
 			}
 		}
+		if (dwMemPos + 5 > dwMemLength) return TRUE;
 		penv->nFadeOut = (((lpStream[dwMemPos+2] & 0x0F) << 8) | (lpStream[dwMemPos+1])) << 3;
 		UINT envflags = lpStream[dwMemPos+3];
 		if (envflags & 0x01) penv->dwFlags |= ENV_VOLLOOP;
@@ -370,12 +382,15 @@ BOOL CSoundFile_ReadAMS2(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 		// Read Samples
 		for (UINT ismp=0; ismp<pins->samples; ismp++)
 		{
+			if (dwMemPos + 1 > dwMemLength) return TRUE;
 			MODINSTRUMENT *psmp = ((ismp < 16) && (smpmap[ismp])) ? &_this->Ins[smpmap[ismp]] : NULL;
 			const UINT smpnamelen = lpStream[dwMemPos];
+			if (dwMemPos + smpnamelen + 1 > dwMemLength) return TRUE;
 			dwMemPos += smpnamelen + 1;
+			if (dwMemPos + sizeof(AMS2SAMPLE) > dwMemLength) return TRUE;
 			if (psmp)
 			{
-				AMS2SAMPLE *pams = (AMS2SAMPLE *)(lpStream+dwMemPos);
+				const AMS2SAMPLE *pams = (AMS2SAMPLE *)(lpStream+dwMemPos);
 				psmp->nGlobalVol = 64;
 				psmp->nPan = 128;
 				psmp->nLength = pams->length;
@@ -502,24 +517,48 @@ BOOL CSoundFile_ReadAMS2(CSoundFile *_this, LPCBYTE lpStream, DWORD dwMemLength)
 		if (packedsamples[iSmp] & 0x03)
 		{
 			flags = (_this->Ins[iSmp].uFlags & CHN_16BIT) ? RS_AMS16 : RS_AMS8;
+			if (!AMSUnpackCheck(lpStream+dwMemPos, dwMemLength-dwMemPos, &_this->Ins[iSmp])) break;
 		} else
 		{
 			flags = (_this->Ins[iSmp].uFlags & CHN_16BIT) ? RS_PCM16S : RS_PCM8S;
 		}
-		dwMemPos += CSoundFile_ReadSample(_this, &_this->Ins[iSmp], flags, (LPSTR)(lpStream+dwMemPos), dwMemLength-dwMemPos);
+		dwMemPos += CSoundFile_ReadSample(_this, &_this->Ins[iSmp], flags, (LPCSTR)(lpStream+dwMemPos), dwMemLength-dwMemPos);
 	}
 	return TRUE;
 }
 
 
+// Precheck AMS packed sample size to determine whether or not it could fit the actual size.
+static BOOL AMSUnpackCheck(const BYTE *lpStream, DWORD dwMemLength, MODINSTRUMENT *ins)
+// -----------------------------------------------------------------------------------
+{
+	if (dwMemLength < 9) return FALSE;
+	DWORD packedbytes = *((DWORD *)(lpStream + 4));
+
+	DWORD samplebytes = ins->nLength;
+	if (samplebytes > MAX_SAMPLE_LENGTH) samplebytes = MAX_SAMPLE_LENGTH;
+	if (ins->uFlags & CHN_16BIT) samplebytes *= 2;
+
+	// RLE can pack a run of up to 255 bytes into 3 bytes.
+	DWORD packedmin = (samplebytes * 3) >> 8;
+	if (packedbytes < packedmin)
+	{
+		samplebytes = packedbytes * (255 / 3) + 2;
+		ins->nLength = samplebytes;
+		if (ins->uFlags & CHN_16BIT) ins->nLength >>= 1;
+	}
+
+	return TRUE;
+}
+
 /////////////////////////////////////////////////////////////////////
 // AMS Sample unpacking
 
 void AMSUnpack(const char *psrc, UINT inputlen, char *pdest, UINT dmax, char packcharacter)
 {
 	UINT tmplen = dmax;
 	signed char *amstmp = (signed char *) SDL_malloc(tmplen);
-	
+
 	if (!amstmp) return;
 	// Unpack Loop
 	{
@@ -530,9 +569,11 @@ void AMSUnpack(const char *psrc, UINT inputlen, char *pdest, UINT dmax, char pac
 			signed char ch = psrc[i++];
 			if (ch == packcharacter)
 			{
+				if (i >= inputlen) break;
 				BYTE ch2 = psrc[i++];
 				if (ch2)
 				{
+					if (i >= inputlen) break;
 					ch = psrc[i++];
 					while (ch2--)
 					{
@@ -542,6 +583,12 @@ void AMSUnpack(const char *psrc, UINT inputlen, char *pdest, UINT dmax, char pac
 				} else p[j++] = packcharacter;
 			} else p[j++] = ch;
 		}
+		if (j < tmplen)
+		{
+			// Truncated or invalid; don't try to unpack this.
+			SDL_free(amstmp);
+			return;
+		}
 	}
 	// Bit Unpack Loop
 	{

src/libmodplug/load_dbm.c

@@ -131,6 +131,9 @@ BOOL CSoundFile_ReadDBM(CSoundFile *_this, const BYTE *lpStream, DWORD dwMemLeng
 		// Instruments
 		if (chunk_id == bswapLE32(DBM_ID_INST))
 		{
+			// Skip duplicate chunks.
+			if (_this->m_nInstruments) continue;
+
 			if (nInstruments >= MAX_INSTRUMENTS) nInstruments = MAX_INSTRUMENTS-1;
 			for (UINT iIns=0; iIns<nInstruments; iIns++)
 			{
@@ -227,6 +230,9 @@ BOOL CSoundFile_ReadDBM(CSoundFile *_this, const BYTE *lpStream, DWORD dwMemLeng
 				DWORD pksize;
 				UINT nRows;
 
+				// Skip duplicate chunks.
+				if (_this->Patterns[iPat]) break;
+
 				if (chunk_pos + sizeof(DBMPATTERN) > dwMemPos) break;
 				pph = (DBMPATTERN *)(lpStream+chunk_pos);
 				pksize = bswapBE32(pph->packedsize);