diff --git a/CHANGELOG.md b/CHANGELOG.md index e7f1abe5..9ce15c94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **WavPack***: Fix panic when encountering wrongly sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/472)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/480)) - **WavPack***: Fix panic when encountering zero-sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/473)) - **MPEG**: Fix panic when APE tags are incorrectly sized ([issue](https://github.com/Serial-ATA/lofty-rs/issues/474)) + - **MPEG**: Fix panic when calculating the stream length for files with improperly sized frames ([issue](https://github.com/Serial-ATA/lofty-rs/issues/487)) - **ID3v2**: Fix panic when parsing non-ASCII `TDAT` and `TIME` frames in `TDRC` conversion ([issue](https://github.com/Serial-ATA/lofty-rs/issues/477)) - **APE**: Fix panic when parsing incorrectly sized header APE tags ([issue](https://github.com/Serial-ATA/lofty-rs/issues/481)) diff --git a/lofty/src/mpeg/properties.rs b/lofty/src/mpeg/properties.rs index 23e6fac2..12209e6a 100644 --- a/lofty/src/mpeg/properties.rs +++ b/lofty/src/mpeg/properties.rs @@ -212,7 +212,13 @@ where return Ok(()); }; - let stream_len = (last_frame_offset + u64::from(last_frame_header.len)) - first_frame_offset; + let stream_end = last_frame_offset + u64::from(last_frame_header.len); + if stream_end < first_frame_offset { + // Something is incredibly wrong with this file, just give up + return Ok(()); + } + + let stream_len = stream_end - first_frame_offset; if !is_cbr { log::debug!("MPEG: VBR detected"); diff --git a/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized b/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized new file mode 100644 index 00000000..258027ec Binary files /dev/null and b/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized differ diff --git a/lofty/tests/fuzz/mpegfile_read_from.rs b/lofty/tests/fuzz/mpegfile_read_from.rs index cee3a3d8..2b78ebb9 100644 --- a/lofty/tests/fuzz/mpegfile_read_from.rs +++ b/lofty/tests/fuzz/mpegfile_read_from.rs @@ -33,6 +33,13 @@ fn crash4() { let _ = MpegFile::read_from(&mut reader, ParseOptions::new()); } +#[test_log::test] +fn crash5() { + let mut reader = + get_reader("mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized"); + let _ = MpegFile::read_from(&mut reader, ParseOptions::new()); +} + #[test_log::test] fn oom1() { oom_test::("mpegfile_read_from/oom-f8730cbfa5682ab12343ccb70de9b71a061ef4d0");