From 59560234b42c668c8d238ec220c230403b074b9d Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Tue, 23 Jul 2024 15:30:46 -0400
Subject: [PATCH] MP4: Fix panic on invalid `hdlr` atom size

---
 CHANGELOG.md                                     |   1 +
 lofty/src/mp4/properties.rs                      |   6 ++++++
 ...tion_IDX_83_RAND_107070306175668418039559.m4a | Bin 0 -> 3369 bytes
 lofty/tests/fuzz/mp4file_read_from.rs            |   8 ++++++++
 4 files changed, 15 insertions(+)
 create mode 100755 lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54b25f9f..c72abdb3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - Fix panic when reading properties of a file with no timescale specified ([issue](https://github.com/Serial-ATA/lofty-rs/issues/418))
     - Fix panics when reading improperly sized freeform atom identifiers ([issue](https://github.com/Serial-ATA/lofty-rs/issues/425)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/426))
     - Fix panic when `data` atom length is less than 16 bytes ([issue](https://github.com/Serial-ATA/lofty-rs/issues/429))
+    - Fix panic when `hdlr` atom is an unexpected length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/435))
   - **WAV**:
     - Fix panic when reading properties with large written bytes per second ([issue](https://github.com/Serial-ATA/lofty-rs/issues/420))
     - Fix panic when reading an improperly sized INFO LIST ([issue](https://github.com/Serial-ATA/lofty-rs/issues/427))
diff --git a/lofty/src/mp4/properties.rs b/lofty/src/mp4/properties.rs
index 9c92273e..4025b24e 100644
--- a/lofty/src/mp4/properties.rs
+++ b/lofty/src/mp4/properties.rs
@@ -244,6 +244,12 @@ where
 						mdhd = Some(atom)
 					},
 					b"hdlr" => {
+						if atom.len < 20 {
+							log::warn!("Incomplete 'hdlr' atom, skipping");
+							skip_unneeded(reader, atom.extended, atom.len)?;
+							continue;
+						}
+
 						// The hdlr atom is followed by 8 zeros
 						reader.seek(SeekFrom::Current(8))?;
 
diff --git a/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a b/lofty/tests/fuzz/assets/mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a
new file mode 100755
index 0000000000000000000000000000000000000000..af6d864da62e8323c22bcf22f5a6fb733d27bfd1
GIT binary patch
literal 3369
zcmeHGziSjh6n?w;aTpbnkdQ=!S%N}}cwX-Il9ciCql*TAU?ak2cXPSq_IBN!J5iBD
z&?2C%pdd)VA}FM_u&}VO5Q#Sa0}26K3yTzfZ+4fvTv9~qeeB2k=Dm6IX1>`WB5g_B
z_2%`98o}5*o}MiQuES%ZlU<JM)<DWmZQ0_;cYWg%gXrxH(GHO!KTd^)@jh!BPwh({
z7^p<*bKx7S$lMgGvS+H^le@8@Z-dETQ=fQdJZ&l_(yMvLDjA@fV;z33>mTLBj%BOt
z$EAT=t;9U`$}gu>S;D9@aKe?M%vmdp4_dy>c{bkTiK<`LLauBFVzCTf3`8K+4dZkJ
zx4^q&tDj4yP7bi{u$&!O0h5;X_4Q%+R`{N&Ug}59&L3*or8Y#=?#^~N1;SE)AcQOd
z=Vf&i!O;lXn@nIlk8{0|Z-MWK_z%px2Ob;hsU6rwNd_1IMu81r2$%-8fyclHEPV$4
zEAR?<2XJl=ar9C(0H;v<fH|NDya8SVYrtpV8Sn&n5b+n$_&$6ISOLa?0>Eor0HB82
zhCaXHkHh~2z5w3<?vM4Ar@%v;1NAf*2-AgU!`WH!%qEff5;C+_EnyHH+jDI8(uNy<
z5d2iW;dy+ep`AlluT%~MhC^EwgP&EOWyoq)nfRBo@;R^p6BFUPqBLKCv;nVZcwh$-
zr-bA2R=b-kXk<&coY5Lvm9AAQcA$-A(-UbuJprNU{dpMtpko{I&o*5r%?Gg4;cVo3
zuxlHhIC6D<0pil5#&xw!WFeW<Ga(r(L?lX2kB`*@O+}dUPZ8|l&Jp&0I^O$i#dPr=
zi`s(W8xFsL$><26L^a#zm|~cV{8ZIN-w^zO0^hui@tSFwHBwT1W1B~4yHB!9m#@sD
zZsick<|d*;7YZTCXXiqq&qSmy%<QC0>6vU;mCNPysJuZuqSUP=-<B7Ku8AcIBnl)7
OBnl)7Bnteu0)GL4-11cb

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/mp4file_read_from.rs b/lofty/tests/fuzz/mp4file_read_from.rs
index bbdd16ab..031173fb 100644
--- a/lofty/tests/fuzz/mp4file_read_from.rs
+++ b/lofty/tests/fuzz/mp4file_read_from.rs
@@ -31,3 +31,11 @@ fn panic3() {
 	);
 	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
 }
+
+#[test]
+fn panic4() {
+	let mut reader = crate::get_reader(
+		"mp4file_read_from/steam_at_mention_IDX_83_RAND_107070306175668418039559.m4a",
+	);
+	let _ = Mp4File::read_from(&mut reader, ParseOptions::new());
+}