MPEG: Verify the size of APE tags

Serial-ATA · Serial-ATA · commit 831ac30fa61c · 2024-10-30T08:27:45.000-04:00
diff --git a/lofty/src/mpeg/read.rs b/lofty/src/mpeg/read.rs
@@ -163,7 +163,11 @@ where
 
 			// Seek back to the start of the tag
 			let pos = reader.stream_position()?;
-			reader.seek(SeekFrom::Start(pos - u64::from(header.size)))?;
+			let Some(start_of_tag) = pos.checked_sub(u64::from(header.size)) else {
+				err!(SizeMismatch);
+			};
+
+			reader.seek(SeekFrom::Start(start_of_tag))?;
 		},
 		_ => {
 			// Correct the position (APE header - Preamble)
diff --git a/lofty/tests/fuzz/assets/mpegfile_read_from/crash-7b5eb183cc14faf3ecc93bdf4a5e30b05f7a537d_minimized b/lofty/tests/fuzz/assets/mpegfile_read_from/crash-7b5eb183cc14faf3ecc93bdf4a5e30b05f7a537d_minimized
diff --git a/lofty/tests/fuzz/mpegfile_read_from.rs b/lofty/tests/fuzz/mpegfile_read_from.rs
@@ -19,6 +19,13 @@ fn crash2() {
 	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
 }
 
+#[test_log::test]
+fn crash3() {
+	let mut reader =
+		get_reader("mpegfile_read_from/crash-7b5eb183cc14faf3ecc93bdf4a5e30b05f7a537d_minimized");
+	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
+}
+
 #[test_log::test]
 fn oom1() {
 	oom_test::<MpegFile>("mpegfile_read_from/oom-f8730cbfa5682ab12343ccb70de9b71a061ef4d0");
