Clamp oversized RIFF chunk to available bytes instead of rejecting it (#1329)

ryanfrancesconi · web-flow · commit d6a2134cf3af · 2026-04-04T12:47:49.000+02:00
Some encoders write a valid data chunk but with a slightly too-large
declared chunkSize, or place the data chunk beyond the declared RIFF
boundary. The previous behaviour called break, abandoning all remaining
chunks and making the file appear empty to taglib.

Lenient parsers (ffmpeg, QuickTime) handle this case by clamping the
chunk size to the bytes that actually remain in the file. Adopt the
same strategy: when chunkSize would exceed the file length, clamp it
and continue parsing rather than stopping early.
diff --git a/taglib/riff/rifffile.cpp b/taglib/riff/rifffile.cpp
@@ -298,16 +298,20 @@ void RIFF::File::read()
 
     seek(offset);
     const ByteVector   chnkName = readBlock(4);
-    const unsigned int chunkSize = readBlock(4).toUInt(bigEndian);
+    unsigned int chunkSize = readBlock(4).toUInt(bigEndian);
 
     if(!isValidChunkName(chnkName)) {
       debug("RIFF::File::read() -- Chunk '" + chnkName + "' has invalid ID");
       break;
     }
 
     if(static_cast<long long>(offset) + 8 + chunkSize > length()) {
-      debug("RIFF::File::read() -- Chunk '" + chnkName + "' has invalid size (larger than the file size)");
-      break;
+      // Clamp to available bytes rather than rejecting the chunk outright.
+      // Some encoders write a correct data chunk but with a slightly too-large
+      // declared size, or place the data chunk outside the declared RIFF boundary.
+      // Lenient parsers (ffmpeg, QuickTime) handle this by clamping; we do the same.
+      debug("RIFF::File::read() -- Chunk '" + chnkName + "' is truncated; clamping size to available bytes.");
+      chunkSize = static_cast<unsigned int>(length() - offset - 8);
     }
 
     Chunk chunk;
diff --git a/tests/test_wav.cpp b/tests/test_wav.cpp
@@ -320,7 +320,7 @@ class TestWAV : public CppUnit::TestFixture
     {
       FileStream stream(copy.fileName().c_str());
       stream.seek(0, IOStream::End);
-      constexpr char garbage[] = "12345678";
+      constexpr char garbage[] = "\r2345678";
       stream.writeBlock(ByteVector(garbage, sizeof(garbage) - 1));
       stream.seek(0);
       contentsBeforeModification = stream.readBlock(stream.length());

Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,7 @@ class TestWAV : public CppUnit::TestFixture`
`320`	`320`	`{`
`321`	`321`	`FileStream stream(copy.fileName().c_str());`
`322`	`322`	`stream.seek(0, IOStream::End);`
`323`		`- constexpr char garbage[] = "12345678";`
	`323`	`+ constexpr char garbage[] = "\r2345678";`
`324`	`324`	`stream.writeBlock(ByteVector(garbage, sizeof(garbage) - 1));`
`325`	`325`	`stream.seek(0);`
`326`	`326`	`contentsBeforeModification = stream.readBlock(stream.length());`