AAC: Fix overflow on tag size mismatches

Serial-ATA · Aug 24, 2024 · 34238b5 · 34238b5
1 parent 9c967f6
commit 34238b5
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/lofty/src/aac/read.rs b/lofty/src/aac/read.rs
@@ -5,7 +5,7 @@ use crate::error::Result;
 use crate::id3::v2::header::Id3v2Header;
 use crate::id3::v2::read::parse_id3v2;
 use crate::id3::{find_id3v1, ID3FindResults};
-use crate::macros::{decode_err, parse_mode_choice};
+use crate::macros::{decode_err, err, parse_mode_choice};
 use crate::mpeg::header::{cmp_header, search_for_frame_sync, HeaderCmpResult};
 
 use std::io::{Read, Seek, SeekFrom};
@@ -46,7 +46,11 @@ where
 				let header = Id3v2Header::parse(reader)?;
 				let skip_footer = header.flags.footer;
 
-				stream_len -= u64::from(header.size);
+				let Some(new_stream_len) = stream_len.checked_sub(u64::from(header.size)) else {
+					err!(SizeMismatch);
+				};
+
+				stream_len = new_stream_len;
 
 				if parse_options.read_tags {
 					let id3v2 = parse_id3v2(reader, header, parse_options)?;
@@ -67,7 +71,11 @@ where
 				if skip_footer {
 					log::debug!("Skipping ID3v2 footer");
 
-					stream_len -= 10;
+					let Some(new_stream_len) = stream_len.checked_sub(10) else {
+						err!(SizeMismatch);
+					};
+
+					stream_len = new_stream_len;
 					reader.seek(SeekFrom::Current(10))?;
 				}
 
@@ -99,7 +107,11 @@ where
 	let ID3FindResults(header, id3v1) = find_id3v1(reader, parse_options.read_tags)?;
 
 	if header.is_some() {
-		stream_len -= 128;
+		let Some(new_stream_len) = stream_len.checked_sub(128) else {
+			err!(SizeMismatch);
+		};
+
+		stream_len = new_stream_len;
 		file.id3v1_tag = id3v1;
 	}
 

diff --git a/lofty/tests/fuzz/aacfile_read_from.rs b/lofty/tests/fuzz/aacfile_read_from.rs
@@ -0,0 +1,11 @@
+use lofty::aac::AacFile;
+use lofty::config::ParseOptions;
+use lofty::file::AudioFile;
+
+#[test]
+fn panic1() {
+	let mut reader = crate::get_reader(
+		"aacfile_read_from/01 -  aalborg_IDX_9_RAND_168952727934877251846138.mp3",
+	);
+	let _ = AacFile::read_from(&mut reader, ParseOptions::new());
+}
diff --git a/...tests/fuzz/assets/aacfile_read_from/01 - aalborg_IDX_9_RAND_168952727934877251846138.mp3 b/...tests/fuzz/assets/aacfile_read_from/01 - aalborg_IDX_9_RAND_168952727934877251846138.mp3
diff --git a/lofty/tests/fuzz/main.rs b/lofty/tests/fuzz/main.rs
@@ -6,6 +6,7 @@ use std::path::Path;
 use std::thread;
 use std::time::Instant;
 
+mod aacfile_read_from;
 mod aifffile_read_from;
 mod flacfile_read_from;
 mod id3v2;