Crash on malformed input

[tlby]

Thank you for this work!

I discovered some poorly formed content that triggered an exception.

Example:

import sniffpy
buf = (
    b'\n\xef\xbb\xbf<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict'
    b'//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\n<html'
    b' xmlns="http://www.w3.org/1999/xhtml">\n<html xmlns:fb="http://ww'
    b'w.facebook.com/2008/fbml">\n[...]\n</html>\r\n<!-- Performance op'
    b'timized by W3 Total Cache. Learn more: https://www.w3-edge.com/pr'
    b'oducts/\r\n\r\nPage Caching using disk: enhanced (SSL caching dis'
    b'abled)\r\n\r\n Served from: [...] @ 2017-03-29 16:04:56 by W3 Tot'
    b'al Cache -->'
)
sniffpy.sniff(buf)

produces:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/share/github.com/codeprentice-org/sniffpy/sniffpy/sniff.py", line 205, in sniff
    return sniff_unknown(resource, sniff_scriptable=not no_sniff)
  File "/share/github.com/codeprentice-org/sniffpy/sniffpy/sniff.py", line 106, in sniff_unknown
    mime_type = match.match_video_audio_type_pattern(resource)
  File "/share/github.com/codeprentice-org/sniffpy/sniffpy/match.py", line 93, in match_video_audio_type_pattern
    if is_mp3_pattern(resource):
  File "/share/github.com/codeprentice-org/sniffpy/sniffpy/match.py", line 132, in is_mp3_pattern
    if not match_mp3_header(resource, offset, parsed_values):
  File "/share/github.com/codeprentice-org/sniffpy/sniffpy/utils.py", line 49, in match_mp3_header
    parsed_values['layer'] = layer[0] >> 1
TypeError: 'int' object is not subscriptable

A few things are interesting to note about this content:

• Byte order mark follows a newline
• Line endings switch from \n to \r\n mid way
• Multiple <html> tags
• Mismatched open/close tags

This sample was found on the web (by commoncrawl.org in 2017), though I have replaced large sections with "[...]" that were not significant to the crash.

[tlby]

I think the match_mp3_header() routine has some logical flaws, in particular the mp3 frame header check seemed too lenient; perhaps an and should have been an or, but there were more flaws beyond that leading to the TypeError. Here's my rough idea of what this routine might have been trying to do following what I found here.

diff --git a/sniffpy/utils.py b/sniffpy/utils.py
index 30c4e2f..fd15744 100644
--- a/sniffpy/utils.py
+++ b/sniffpy/utils.py
@@ -39,25 +39,25 @@ def match_mp3_header(
     Solution is not cleanbut is the most consistent with the specification"""

     # We use b'\x02'[0] to extract unsigned int from byte (2 in this case)
-    if len(resource) < 4:
+    if len(resource) - offset < 4:
         return False
-    if resource[offset] != b'\xff' and resource[offset +
-                                                1] & b'\xe0'[0] != b'\xe0'[0]:
+    frame_sync = (resource[offset] << 3) + (resource[offset+1] >> 5)
+    if frame_sync != 0x7ff:
         return False

-    layer = resource[offset + 1] & b'\x06'[0]
-    parsed_values['layer'] = layer[0] >> 1
-    if parsed_values['layer'] == 0:
+    layer = 0x3 & (resource[offset+1] >> 1)
+    parsed_values['layer'] = layer
+    if layer == 0:
         return False

-    bit_rate = resource[offset + 2] & b'\x0c'[0]
-    parsed_values['bit_rate'] = bit_rate[0] >> 4
-    if parsed_values['bit_rate'] == 15:
+    bit_rate = resource[offset+2] >> 4
+    parsed_values['bit_rate'] = bit_rate
+    if bit_rate == 15:
         return False

-    sample_rate = resource[offset + 2] & b'\x0c'[0]
-    parsed_values['sample_rate'] = sample_rate >> 2
-    if parsed_values['sample_rate'] == 3:
+    sample_rate = 0x3 & (resource[offset+2] >> 2)
+    parsed_values['sample_rate'] = sample_rate
+    if sample_rate == 3:
         return False

     parsed_values['freq'] = const.SAMPLE_RATES[sample_rate]

This is just a rough draft, I'm not in a position to craft a well formed pull request at this time. Thanks!

[velezbeltran]

Hi @tlby,

Thank you for letting us know about this! I will try to take a look and see if I have the time to fix it soon. I will let you know.
Best,
Nicolas