Heap buffer overflow in dr_wav metadata parser (fuzz findings + OSS-Fuzz proposal)

[vLAlexTkk]

Fuzzing dr_wav.h with AFL++ (ASAN-instrumented) found 41 crashes in 2 minutes,
falling into 2 bug classes:

Bug 1: heap-buffer-overflow WRITE in drwav__metadata_process_unknown_chunk (line ~2713)

• 10 of 41 crashes
• The two-pass metadata parser encounters more chunks in stage 2 than counted in stage 1

Bug 2: assertion failure / buffer overrun in drwav__metadata_get_memory (line ~2130)

• 31 of 41 crashes
• Same root cause: stage-1/stage-2 metadata count mismatch

Reproduction

Compile with AddressSanitizer and feed the attached .wav files:

cc -fsanitize=address -O1 -o repro repro.c
./repro < crash_heap_overflow.wav   # Bug 1
./repro < crash_assertion.wav       # Bug 2

Where repro.c is:
#define DR_WAV_IMPLEMENTATION
#include "dr_wav.h"
int main(void) {
char buf[65536];
size_t n = fread(buf, 1, sizeof(buf), stdin);
drwav wav;
drwav_init_memory(&wav, buf, n, NULL);
drwav_uninit(&wav);
}

Version

dr_wav.h v0.14.5 (latest as of writing)

PoC files attached

• crash_heap_overflow.wav (56 bytes) — triggers heap-buffer-overflow WRITE
• crash_assertion.wav (56 bytes) — triggers assertion failure

OSS-Fuzz integration

I've also prepared fuzzing harnesses for dr_wav, dr_mp3, and dr_flac.
Would you be open to integrating dr_libs into Google's OSS-Fuzz for continuous fuzzing?
I can submit the PR — just need your approval as project maintainer.

crash_assertion.wav

crash_heap_overflow.wav