MPEG: Fix potential panic in stream length calculation

Serial-ATA · Serial-ATA · commit 35eb5785a59f · 2024-11-23T16:13:14.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -59,6 +59,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - **WavPack***: Fix panic when encountering wrongly sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/472)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/480))
     - **WavPack***: Fix panic when encountering zero-sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/473))
     - **MPEG**: Fix panic when APE tags are incorrectly sized ([issue](https://github.com/Serial-ATA/lofty-rs/issues/474))
+    - **MPEG**: Fix panic when calculating the stream length for files with improperly sized frames ([issue](https://github.com/Serial-ATA/lofty-rs/issues/487))
     - **ID3v2**: Fix panic when parsing non-ASCII `TDAT` and `TIME` frames in `TDRC` conversion ([issue](https://github.com/Serial-ATA/lofty-rs/issues/477))
     - **APE**: Fix panic when parsing incorrectly sized header APE tags ([issue](https://github.com/Serial-ATA/lofty-rs/issues/481))
 
diff --git a/lofty/src/mpeg/properties.rs b/lofty/src/mpeg/properties.rs
@@ -212,7 +212,13 @@ where
 		return Ok(());
 	};
 
-	let stream_len = (last_frame_offset + u64::from(last_frame_header.len)) - first_frame_offset;
+	let stream_end = last_frame_offset + u64::from(last_frame_header.len);
+	if stream_end < first_frame_offset {
+		// Something is incredibly wrong with this file, just give up
+		return Ok(());
+	}
+
+	let stream_len = stream_end - first_frame_offset;
 	if !is_cbr {
 		log::debug!("MPEG: VBR detected");
 
diff --git a/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized b/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized
diff --git a/lofty/tests/fuzz/mpegfile_read_from.rs b/lofty/tests/fuzz/mpegfile_read_from.rs
@@ -33,6 +33,13 @@ fn crash4() {
 	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
 }
 
+#[test_log::test]
+fn crash5() {
+	let mut reader =
+		get_reader("mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized");
+	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
+}
+
 #[test_log::test]
 fn oom1() {
 	oom_test::<MpegFile>("mpegfile_read_from/oom-f8730cbfa5682ab12343ccb70de9b71a061ef4d0");
