MP4: Fix panic on improperly sized freeform idents

Serial-ATA · Serial-ATA · commit 5661d18a2e46 · 2024-07-23T16:07:43.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
     - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
+    - Fix panic with improperly sized freeform identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/430))
     - Fix panic when `hdlr` atom is an unexpected length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/435))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
diff --git a/lofty/src/mp4/atom_info.rs b/lofty/src/mp4/atom_info.rs
@@ -199,7 +199,7 @@ impl AtomInfo {
 				err!(BadAtom("Found an incomplete freeform identifier"));
 			}
 
-			atom_ident = parse_freeform(data, len, reader_size, parse_mode)?;
+			atom_ident = parse_freeform(data, len - ATOM_HEADER_LEN, parse_mode)?;
 		} else {
 			atom_ident = AtomIdent::Fourcc(identifier);
 		}
@@ -224,7 +224,6 @@ impl AtomInfo {
 fn parse_freeform<R>(
 	data: &mut R,
 	atom_len: u64,
-	reader_size: u64,
 	parse_mode: ParsingMode,
 ) -> Result<AtomIdent<'static>>
 where
@@ -237,8 +236,9 @@ where
 		err!(BadAtom("Found an incomplete freeform identifier"));
 	}
 
-	let mean = freeform_chunk(data, b"mean", reader_size, parse_mode)?;
-	let name = freeform_chunk(data, b"name", reader_size - 4, parse_mode)?;
+	let mut atom_len = atom_len;
+	let mean = freeform_chunk(data, b"mean", &mut atom_len, parse_mode)?;
+	let name = freeform_chunk(data, b"name", &mut atom_len, parse_mode)?;
 
 	Ok(AtomIdent::Freeform {
 		mean: mean.into(),
@@ -249,13 +249,13 @@ where
 fn freeform_chunk<R>(
 	data: &mut R,
 	name: &[u8],
-	reader_size: u64,
+	reader_size: &mut u64,
 	parse_mode: ParsingMode,
 ) -> Result<String>
 where
 	R: Read + Seek,
 {
-	let atom = AtomInfo::read(data, reader_size, parse_mode)?;
+	let atom = AtomInfo::read(data, *reader_size, parse_mode)?;
 
 	match atom {
 		Some(AtomInfo {
@@ -267,6 +267,10 @@ where
 				err!(BadAtom("Found an incomplete freeform identifier chunk"));
 			}
 
+			if len >= *reader_size {
+				err!(SizeMismatch);
+			}
+
 			// Version (1)
 			// Flags (3)
 			data.seek(SeekFrom::Current(4))?;
@@ -275,6 +279,8 @@ where
 			let mut content = try_vec![0; (len - 12) as usize];
 			data.read_exact(&mut content)?;
 
+			*reader_size -= len;
+
 			utf8_decode(content).map_err(|_| {
 				LoftyError::new(ErrorKind::BadAtom(
 					"Found a non UTF-8 string while reading freeform identifier",
diff --git a/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a b/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a
diff --git a/lofty/tests/fuzz/mp4file_read_from.rs b/lofty/tests/fuzz/mp4file_read_from.rs
@@ -39,3 +39,11 @@ fn panic4() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic5() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}
