MP4: Fix panic on invalid hdlr atom size

Author: Serial-ATA

CHANGELOG.md

@@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
     - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
+    - Fix panic when `hdlr` atom is an unexpected length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/435))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
     - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))

lofty/src/mp4/properties.rs

@@ -244,6 +244,12 @@ where
 						mdhd = Some(atom)
 					},
 					b"hdlr" => {
+						if atom.len < 20 {
+							log::warn!("Incomplete 'hdlr' atom, skipping");
+							skip_unneeded(reader, atom.extended, atom.len)?;
+							continue;
+						}
+
 						// The hdlr atom is followed by 8 zeros
 						reader.seek(SeekFrom::Current(8))?;
 

lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a

@@ -31,3 +31,11 @@ fn panic3() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic4() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}