From 87f176897ccb8238f1c2dab2b096d836a1b4514c Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Tue, 23 Jul 2024 15:39:55 -0400
Subject: [PATCH] MP4: Fix panic on improperly sized freeform idents

---
 CHANGELOG.md                                   |   1 +
 lofty/src/mp4/atom_info.rs                     |  17 ++++++++++-------
 ...ion_IDX_97_RAND_34488648178055098192895.m4a | Bin 0 -> 3369 bytes
 lofty/tests/fuzz/mp4file_read_from.rs          |   8 ++++++++
 4 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100755 lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c72abdb34..23b8cfcac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
     - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
+    - Fix panic with improperly sized freeform identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/430))
     - Fix panic when `hdlr` atom is an unexpected length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/435))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
diff --git a/lofty/src/mp4/atom_info.rs b/lofty/src/mp4/atom_info.rs
index 55db62e5c..48e281331 100644
--- a/lofty/src/mp4/atom_info.rs
+++ b/lofty/src/mp4/atom_info.rs
@@ -199,7 +199,7 @@ impl AtomInfo {
 				err!(BadAtom("Found an incomplete freeform identifier"));
 			}
 
-			atom_ident = parse_freeform(data, len, reader_size, parse_mode)?;
+			atom_ident = parse_freeform(data, len - ATOM_HEADER_LEN, parse_mode)?;
 		} else {
 			atom_ident = AtomIdent::Fourcc(identifier);
 		}
@@ -224,7 +224,6 @@ impl AtomInfo {
 fn parse_freeform<R>(
 	data: &mut R,
 	atom_len: u64,
-	reader_size: u64,
 	parse_mode: ParsingMode,
 ) -> Result<AtomIdent<'static>>
 where
@@ -237,8 +236,10 @@ where
 		err!(BadAtom("Found an incomplete freeform identifier"));
 	}
 
-	let mean = freeform_chunk(data, b"mean", reader_size, parse_mode)?;
-	let name = freeform_chunk(data, b"name", reader_size - 4, parse_mode)?;
+	let (mean, bytes_read) = freeform_chunk(data, b"mean", atom_len, parse_mode)?;
+	let atom_len = atom_len - bytes_read;
+
+	let (name, _bytes_read) = freeform_chunk(data, b"name", atom_len, parse_mode)?;
 
 	Ok(AtomIdent::Freeform {
 		mean: mean.into(),
@@ -251,7 +252,7 @@ fn freeform_chunk<R>(
 	name: &[u8],
 	reader_size: u64,
 	parse_mode: ParsingMode,
-) -> Result<String>
+) -> Result<(String, u64)>
 where
 	R: Read + Seek,
 {
@@ -275,11 +276,13 @@ where
 			let mut content = try_vec![0; (len - 12) as usize];
 			data.read_exact(&mut content)?;
 
-			utf8_decode(content).map_err(|_| {
+			let content = utf8_decode(content).map_err(|_| {
 				LoftyError::new(ErrorKind::BadAtom(
 					"Found a non UTF-8 string while reading freeform identifier",
 				))
-			})
+			})?;
+
+			Ok((content, len))
 		},
 		_ => err!(BadAtom(
 			"Found freeform identifier \"----\" with no trailing \"mean\" or \"name\" atoms"
diff --git a/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a b/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a
new file mode 100755
index 0000000000000000000000000000000000000000..33355ce6df8c3bc94da1f64f4486965f8196dd4f
GIT binary patch
literal 3369
zcmeHGJ8KkC6h1R~;R`k)A&CYvM1>T(?ql*O<L1#N1|QgnFqxTbHrcx~&YfLRkwnlU
zpsk=Fh+q*E(pp$pSXhWe8~=bpz}CVdMZPl+_K_5kRKgzS<9zp=d+xdSyK{+1TlDX`
zv-%~CVC;pfXA060JSIBPDIBK)QWTXXiz7eu_0J5VcT+@LL`v{+Dm0AitYJJ+m)tW@
ziPY!5XRIJ|(_aaCc2s+EH#YRGu^`ycC!QHkn}|u^)e&J83{Xv2`=9Ijr(ojHl2!EL
zQt6aSF^|3STNFx*7$u|#SBf%ctuQ`dc{b<Sc#p@+UQr9VvMK$AB6wc<GEg^+(+%7L
z?~bi{E|n4-VBKL^TUwGy%i7x75PU0q_e2l%p=RqZwQN%xB5GHn9ZrF;)F*vEC;{hX
zbriwTFxs0;U_6g=J&|vLKN|6$n0F66Hq=u)u#J)w&<~sk)`3A_64(SD10S*UY4~rz
zE8soAxgEsOOVt3JLhS`+fIRRPcmu2gUw~)86W~F_Uqs{k@C9HQ7zJ_wuW=E88fqK*
z{DD6P{|opEd<VEc)>oba4{;9E(}46%2c8XQXT?*miOiRfp|x!J2GNlnVY3gc?gzn7
z<r%KaR~p(mbae|w>0>y!Q8M^h^;$+y%_<ZBQr1Wotlz{$_|7QJ7Z6y#n>SprJ&BXP
zaCxg;jTJP!;X9nsYFibql}onN(wXE~QcsRSDEe>#20tKdBlxpTM<n?Gb~2oeTsL-Y
z!xKlY&dx(zdQ`ivmWnJS<9aG2>0Csj^yFx|8fYlOlz)m~4|fi*_fzrSr%R@T_n6n_
z4bKq#2F9Z!fD%<~k7J5qF7Q)T7d*q~2P8f7HpZ)_WmZV(;2S%0fVOp#&0W4Si@N1~
zB%2wF4xP(|WF#{a5`8KnRbi&bgOr}igjLyWR*%YS#3SmswdmQwg`sQHnhG=(Xe!WD
Q;IInJ9d?0c{r{`LE=t+*JOBUy

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/mp4file_read_from.rs b/lofty/tests/fuzz/mp4file_read_from.rs
index 031173fb4..2717c1567 100644
--- a/lofty/tests/fuzz/mp4file_read_from.rs
+++ b/lofty/tests/fuzz/mp4file_read_from.rs
@@ -39,3 +39,11 @@ fn panic4() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic5() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_97_RAND_34488648178055098192895.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}