PictureInformation: Fix potential overflowing subtraction in from_jpeg

2024-11-10 06:34:18 +00:00 · 2022-07-11 16:52:52 -04:00 · 2022-07-11 16:52:52 -04:00 · f99a587391
commit f99a587391
parent 9c35120aeb
3 changed files with 26 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **AIFF/WAV**: Stop relying on the file-provided size when reading (Fixes OOM)
 - **Tag**: The `Accessor::set_*` methods will now remove the item when given an empty string

+### Fixed
+- **PictureInformation**: Fix potential overflow on an invalid picture
+
 ## [0.7.1] - 2022-07-08

 ### Added
--- a/src/picture.rs
+++ b/src/picture.rs
@ -400,8 +400,12 @@ impl PictureInformation {

 		let mut reader = Cursor::new(reader);

-		// The length contains itself
-		reader.seek(SeekFrom::Current(i64::from(section_len - 2)))?;
+		// The length contains itself, so anything < 2 is invalid
+		let (content_len, overflowed) = section_len.overflowing_sub(2);
+		if overflowed {
+			return Err(LoftyError::new(ErrorKind::NotAPicture));
+		}
+		reader.seek(SeekFrom::Current(i64::from(content_len)))?;

 		while let Ok(0xFF) = reader.read_u8() {
 			let marker = reader.read_u8()?;
--- a/tests/fuzz/pictureinformation_from_jpeg.rs
+++ b/tests/fuzz/pictureinformation_from_jpeg.rs
@ -1 +1,17 @@
-// TODO
+use crate::get_reader;
+use lofty::error::ErrorKind;
+use lofty::PictureInformation;
+
+#[test]
+fn crash1() {
+	let reader =
+		get_reader("pictureinformation_from_jpeg/crash-e46c53f85ca87dd374bc5c4e73c2f66f3a45b955");
+
+	match PictureInformation::from_jpeg(reader.get_ref())
+		.unwrap_err()
+		.kind()
+	{
+		ErrorKind::NotAPicture => {},
+		e => panic!("Received an unexpected error: {:?}", e),
+	}
+}