MPEG: Fix subtraction by zero panic regression

Caught by `mpegfile_read_from` fuzz target, in the event that the extended header has a size >= the total tag size.

The regression was introduced in 080742d392.

src/error.rs

@@ -78,7 +78,7 @@ pub enum Id3v2ErrorKind {
 	/// At the time the ID3v2.2 specification was written, a compression scheme wasn't decided.
 	/// As such, it is recommended to ignore the tag entirely.
 	V2Compression,
-	/// Arises when an extended header has an invalid size (must be >= 6 bytes)
+	/// Arises when an extended header has an invalid size (must be >= 6 bytes and less than the total tag size)
 	BadExtendedHeaderSize,
 
 	// Frame
@@ -129,7 +129,7 @@ impl Display for Id3v2ErrorKind {
 			),
 			Self::V2Compression => write!(f, "Encountered a compressed ID3v2.2 tag"),
 			Self::BadExtendedHeaderSize => {
-				write!(f, "Found an extended header with an invalid size (< 6)")
+				write!(f, "Found an extended header with an invalid size")
 			},
 
 			// Frame

src/id3/v2/mod.rs

@@ -135,6 +135,10 @@ where
 		}
 	}
 
+	if extended_size > 0 && extended_size >= size {
+		return Err(Id3v2Error::new(Id3v2ErrorKind::BadExtendedHeaderSize).into());
+	}
+
 	Ok(ID3v2Header {
 		version,
 		flags: flags_parsed,

tests/fuzz/mpegfile_read_from.rs

@@ -1,5 +1,14 @@
-use crate::oom_test;
+use crate::{get_reader, oom_test};
 use lofty::mpeg::MpegFile;
+use lofty::{AudioFile, ParseOptions};
+
+#[test]
+fn crash1() {
+	let mut reader =
+		get_reader("mpegfile_read_from/crash-9b17818b6404b1c4b9f89c09dc11e915b96cafc6");
+
+	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
+}
 
 #[test]
 fn oom1() {