MP4: Fix panic on large stts entry counts

Serial-ATA · Serial-ATA · commit 51e9f5d8b9e7 · 2024-07-28T13:57:33.000-04:00
diff --git a/lofty/src/mp4/properties.rs b/lofty/src/mp4/properties.rs
@@ -4,6 +4,7 @@ use crate::config::ParsingMode;
 use crate::error::{LoftyError, Result};
 use crate::macros::{decode_err, err, try_vec};
 use crate::properties::FileProperties;
+use crate::util::alloc::VecFallibleCapacity;
 use crate::util::math::RoundedDivision;
 
 use std::io::{Cursor, Read, Seek, SeekFrom};
@@ -340,7 +341,7 @@ where
 	let _version_and_flags = reader.read_uint::<BigEndian>(4)?;
 
 	let entry_count = reader.read_u32::<BigEndian>()?;
-	let mut entries = Vec::with_capacity(entry_count as usize);
+	let mut entries = Vec::try_with_capacity_stable(entry_count as usize)?;
 
 	for _ in 0..entry_count {
 		let sample_count = reader.read_u32::<BigEndian>()?;
diff --git a/lofty/tests/fuzz/assets/mp4file_read_from/ui_steam_smoother_friend_join_IDX_53_RAND_83672409887817275057956.m4a b/lofty/tests/fuzz/assets/mp4file_read_from/ui_steam_smoother_friend_join_IDX_53_RAND_83672409887817275057956.m4a
diff --git a/lofty/tests/fuzz/mp4file_read_from.rs b/lofty/tests/fuzz/mp4file_read_from.rs
@@ -47,3 +47,11 @@ fn panic5() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic6() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/ui_steam_smoother_friend_join_IDX_53_RAND_83672409887817275057956.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}
