From 2f62ff9b6002f9cad71db0cf7912b2e155868d0a Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Mon, 11 Jul 2022 16:57:03 -0400
Subject: [PATCH] PictureInformation: Fix potential overflowing addition in
 `from_png`

---
 src/picture.rs                            |  7 ++++++-
 tests/fuzz/pictureinformation_from_png.rs | 11 ++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/picture.rs b/src/picture.rs
index c289eba6..551f3352 100644
--- a/src/picture.rs
+++ b/src/picture.rs
@@ -374,7 +374,12 @@ impl PictureInformation {
 			}
 
 			// Skip the chunk's data (size) and CRC (4 bytes)
-			reader.seek(SeekFrom::Current(i64::from(size + 4)))?;
+			let (content_size, overflowed) = size.overflowing_add(4);
+			if overflowed {
+				break;
+			}
+
+			reader.seek(SeekFrom::Current(i64::from(content_size)))?;
 		}
 
 		Ok(ret)
diff --git a/tests/fuzz/pictureinformation_from_png.rs b/tests/fuzz/pictureinformation_from_png.rs
index 70b786d1..5d36086c 100644
--- a/tests/fuzz/pictureinformation_from_png.rs
+++ b/tests/fuzz/pictureinformation_from_png.rs
@@ -1 +1,10 @@
-// TODO
+use crate::get_reader;
+use lofty::PictureInformation;
+
+#[test]
+fn crash1() {
+	let reader =
+		get_reader("pictureinformation_from_png/crash-9cca0ac668e4735a0aac8eddb91a50b9351b419c");
+
+	let _ = PictureInformation::from_png(reader.get_ref()).unwrap();
+}