From 15e893e26829e20dc101a94800a2fdb46c447f18 Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Mon, 22 Jul 2024 12:44:16 -0400
Subject: [PATCH] MP4: Fix panic on invalid `data` atom size

---
 CHANGELOG.md                                     |   1 +
 lofty/src/mp4/ilst/read.rs                       |  13 ++++++++++++-
 ...tion_IDX_60_RAND_135276517902742448802109.m4a | Bin 0 -> 3369 bytes
 lofty/tests/fuzz/mp4file_read_from.rs            |   8 ++++++++
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100755 lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b0bb00d..54b25f9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **MP4**:
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
+    - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
     - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))
diff --git a/lofty/src/mp4/ilst/read.rs b/lofty/src/mp4/ilst/read.rs
index 914f17e6..09623e1c 100644
--- a/lofty/src/mp4/ilst/read.rs
+++ b/lofty/src/mp4/ilst/read.rs
@@ -226,6 +226,18 @@ where
 			break;
 		};
 
+		if next_atom.len < 16 {
+			log::warn!(
+				"Expected data atom to be at least 16 bytes, got {}. Stopping",
+				next_atom.len
+			);
+			if parsing_mode == ParsingMode::Strict {
+				err!(BadAtom("Data atom is too small"))
+			}
+
+			break;
+		}
+
 		// We don't care about the version
 		let _version = reader.read_u8()?;
 
@@ -239,7 +251,6 @@ where
 
 		match next_atom.ident {
 			DATA_ATOM_IDENT => {
-				debug_assert!(next_atom.len >= 16);
 				let content_len = (next_atom.len - 16) as usize;
 				if content_len > 0 {
 					let mut content = try_vec![0; content_len];
diff --git a/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a b/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a
new file mode 100755
index 0000000000000000000000000000000000000000..c7a9b7509c79d40d1a28862dea815189d31c1d87
GIT binary patch
literal 3369
zcmeHGJ8KkC6h1R~tWQWnLJ|#T2ns25-R#aLDdXnRMS~A)M3~G>Hfwfv#+kb-Dv}6V
z1hf?t1PNFKg|rqH78VvF(Z)ZZ5U{ndNa1&8?y!%fh}LtMkMrGg?z!jQ@6IJ6ZAskq
z=Jg92!Pq;Vo-GBg!(*c3-Hz+lK*~;S+2Y7|ef<-I=<N*AHjxs3oQe$NCTkf_H6`~9
zR3i1c@QoE@ZitnzXR6+lyRo5fgN4DCKJm<W+Eh$JujU=AWPoapwg0)UeGDg#EL&wi
zE)CpjCFZeLemSMe5=LEt6RjjOr>!VHWcfDd*?5n~s(x9ExUv<9#WHv?5J9MJ6sPOB
z1>PN7{ah+_ae#G)<?O%;n6#~}t&PC9!}m`0(Ew_;|4`cwbs(blbalch5S9i4A;J=H
zURFmD9F3yA$ppspIM*kA8~hQ;e_-A{@YqmKoxl!CGQc2k7FY*{foWh1cno~N(x>3R
z0<VB~0OxiQM=w<aa0;~_m;;Ky8{jpt3Va5h0Z)JjlE0AS`|u^;7BCJJ0AAxf05#MO
z^!W{c6#ggh1^5PVf2^-O1s>uYsHdSom@YgU&d!QwHi*oZkfFV534`eHu4A(gt?38B
zPvsk)$5$HJ8FckZ<v?IKyjd~$S@l~+Sj{RE|58>y2R3M8B7C<@^96)9=oJkQY)|5Z
za6H~>PiqB@ZVHz(T4Sry)oR5Kw6Sb@BCV$<AQZhn2ZJASY$N=$P1i~D0qk@%8@XQW
z+J+~NT$x{hxb&!TT`eOmB9nS1B4Y(fWO{mhtR847!jylCU=Mc=u=kVk-e)VOi}zU6
z77X8T_zg_TBY+asY@cI_VJ`AhRTq6j@B<2b^ESq-re)ShN%4(s9H4EJWEU@8o=4rG
zeI%QkkcTc5B9hO}MMR&Gq%O?tWSG)3*{CX)%jvSbK|G?=%_ZLsFAQB1OB6^HNEApE
MNEApE_-_UN0;}}$3jhEB

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/mp4file_read_from.rs b/lofty/tests/fuzz/mp4file_read_from.rs
index 6d36415e..bbdd16ab 100644
--- a/lofty/tests/fuzz/mp4file_read_from.rs
+++ b/lofty/tests/fuzz/mp4file_read_from.rs
@@ -23,3 +23,11 @@ fn panic2() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic3() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}