MP4: Fix panic on invalid data atom size

Author: Serial-ATA

CHANGELOG.md

@@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **MP4**:
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
+    - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
     - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))

lofty/src/mp4/ilst/read.rs

@@ -226,6 +226,18 @@ where
 			break;
 		};
 
+		if next_atom.len < 16 {
+			log::warn!(
+				"Expected data atom to be at least 16 bytes, got {}. Stopping",
+				next_atom.len
+			);
+			if parsing_mode == ParsingMode::Strict {
+				err!(BadAtom("Data atom is too small"))
+			}
+
+			break;
+		}
+
 		// We don't care about the version
 		let _version = reader.read_u8()?;
 
@@ -239,7 +251,6 @@ where
 
 		match next_atom.ident {
 			DATA_ATOM_IDENT => {
-				debug_assert!(next_atom.len >= 16);
 				let content_len = (next_atom.len - 16) as usize;
 				if content_len > 0 {
 					let mut content = try_vec![0; content_len];

lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a

@@ -23,3 +23,11 @@ fn panic2() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic3() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_60_RAND_135276517902742448802109.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}