From 7330b95f2ec5981a3e145ed1e63c40970600e23d Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Sat, 23 Nov 2024 15:56:49 -0500
Subject: [PATCH 1/2] MPEG: Fix potential panic in stream length calculation

---
 CHANGELOG.md                                     |   1 +
 lofty/src/mpeg/properties.rs                     |   8 +++++++-
 ...f469a07ca27b291122f8f95f6fce4458ad5_minimized | Bin 0 -> 1094 bytes
 lofty/tests/fuzz/mpegfile_read_from.rs           |   7 +++++++
 4 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7f1abe58..9ce15c947 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -59,6 +59,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - **WavPack***: Fix panic when encountering wrongly sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/472)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/480))
     - **WavPack***: Fix panic when encountering zero-sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/473))
     - **MPEG**: Fix panic when APE tags are incorrectly sized ([issue](https://github.com/Serial-ATA/lofty-rs/issues/474))
+    - **MPEG**: Fix panic when calculating the stream length for files with improperly sized frames ([issue](https://github.com/Serial-ATA/lofty-rs/issues/487))
     - **ID3v2**: Fix panic when parsing non-ASCII `TDAT` and `TIME` frames in `TDRC` conversion ([issue](https://github.com/Serial-ATA/lofty-rs/issues/477))
     - **APE**: Fix panic when parsing incorrectly sized header APE tags ([issue](https://github.com/Serial-ATA/lofty-rs/issues/481))
 
diff --git a/lofty/src/mpeg/properties.rs b/lofty/src/mpeg/properties.rs
index 23e6fac28..12209e6a5 100644
--- a/lofty/src/mpeg/properties.rs
+++ b/lofty/src/mpeg/properties.rs
@@ -212,7 +212,13 @@ where
 		return Ok(());
 	};
 
-	let stream_len = (last_frame_offset + u64::from(last_frame_header.len)) - first_frame_offset;
+	let stream_end = last_frame_offset + u64::from(last_frame_header.len);
+	if stream_end < first_frame_offset {
+		// Something is incredibly wrong with this file, just give up
+		return Ok(());
+	}
+
+	let stream_len = stream_end - first_frame_offset;
 	if !is_cbr {
 		log::debug!("MPEG: VBR detected");
 
diff --git a/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized b/lofty/tests/fuzz/assets/mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized
new file mode 100644
index 0000000000000000000000000000000000000000..258027ec673005f8aa5bbb2149e00da782540f79
GIT binary patch
literal 1094
zcmezW+3Cn#5u>y-4B1|v*8hvmy4UUGG;O=e`L6B8D%=4sp)L>RN$31H!7Z|x)3=W6
z|7V9IFC=H%y$Z9MwcowTflqK&*+QQup<fl*HvNC}@T`^i>c3yv{oQ|g?0??1{=ZcH
z(L?!vmYl7UVtyP_|JeNh_J99>|3CWnuje!chhqi~6R$cfc_G!r00c+p9l4jM=k6N8
z5ESNU1QKCzbMp)WGZ_B=|Nk4rat30@0M`&ls5(OihC3JlqJ=u71q>h?2Np9hFfcSS
zF*mg|F*G+dGcq$UHZ(CbGz7Wd;GlsahO2N101Zyj6&IGi(&QJ<;v}zgRPu{KNWSyz
z(~>vY?+0i4NiM&rWB<axXz`KB_ZBbTdHHIo_W#>wW*mR@Inwxl#h<2a-d-&cv)?bc
zDrKRr=vP%9>ZN?VC~%R8M}wCix3u8W+SzIMFHD>M<xl?){>1)`n}rj#H(H4u>35Ad
zc0MMcb>ktumgBDdNtLqwN*qba{9Eb{?>pk}lhv|WirammVe3S#^c^>rFPtQB%&@26
zIG^0{gD+myweQ$CTVCyS-;P&0e-&^4WB8{ud*i|7MrjF>EY8KPnkJ=jOE?5y)h#$A
za&FPdC|OUj{gXY-_Ib&DUS|5m|5@>>&r5zTOMW@+<o){di{B%MEVbDNW`Ybix_8Zy
zaAQ<7VHE86H-ClzhhY<w(t`br3QR_u`n-Oxlt|fq`~M<AmqYrRCzu~6HZ@N8@HBnj
z)L)Zb_INdV<SbJ9DivZqJ95IuoFiP!bvL<s;{#6AuR1Aa?lsN)rYa~yoE3hpb;_)&
zWsec({_-nJaxWiw>3y|bpmtV&WMg3T-KngLx8^8KULeptr_z~Ua_Us)ZJLE_Euw#q
zTIh$!Y4vjpn0Tk()=~;`DL)c<d=hWWj$cciKK7;6T;^=paNd0ryWX73S3vgM5KVHr
ya4KuUj{A#OYv4*xU~y<TV#!ks4Eaz=Se^oLgF`TK7867nZW*vVP}-m20s{aS7oy|<

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/mpegfile_read_from.rs b/lofty/tests/fuzz/mpegfile_read_from.rs
index cee3a3d8c..2b78ebb95 100644
--- a/lofty/tests/fuzz/mpegfile_read_from.rs
+++ b/lofty/tests/fuzz/mpegfile_read_from.rs
@@ -33,6 +33,13 @@ fn crash4() {
 	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
 }
 
+#[test_log::test]
+fn crash5() {
+	let mut reader =
+		get_reader("mpegfile_read_from/crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized");
+	let _ = MpegFile::read_from(&mut reader, ParseOptions::new());
+}
+
 #[test_log::test]
 fn oom1() {
 	oom_test::<MpegFile>("mpegfile_read_from/oom-f8730cbfa5682ab12343ccb70de9b71a061ef4d0");

From 10261350675d8ac1d637316810470bc70c6c4781 Mon Sep 17 00:00:00 2001
From: Serial <69764315+Serial-ATA@users.noreply.github.com>
Date: Sat, 23 Nov 2024 16:11:09 -0500
Subject: [PATCH 2/2] WV: Verify the size of non-standard sample rate blocks

---
 CHANGELOG.md                                     |   3 ++-
 lofty/src/wavpack/properties.rs                  |   4 ++++
 ...f40152ed0dcb39eb66003ecca7d42d56bf3_minimized | Bin 0 -> 2102 bytes
 lofty/tests/fuzz/wavpackfile_read_from.rs        |   8 ++++++++
 4 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9ce15c947..481c007bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -53,11 +53,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - When skipping invalid frames in `ParsingMode::{BestAttempt, Relaxed}`, the parser will no longer be able to go out of the bounds
     of the frame content ([issue](https://github.com/Serial-ATA/lofty-rs/issues/458)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/459))
 - **MP4**: Support for flag items (ex. `cpil`) of any size (not just 1 byte) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/457)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/460))
-- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/476)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/479)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/483)):
+- **Fuzzing** (Thanks [@qarmin](https://github.com/qarmin)!) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/476)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/479)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/483)) ([PR](https://github.com/Serial-ATA/lofty-rs/pull/489)):
     - **MusePack**: Fix panic when ID3v2 tag sizes exceed the stream length ([issue](https://github.com/Serial-ATA/lofty-rs/issues/470))
     - **WAV**: Fix panic when calculating bit depth with abnormally large `bytes_per_sample` ([issue](https://github.com/Serial-ATA/lofty-rs/issues/471))
     - **WavPack***: Fix panic when encountering wrongly sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/472)) ([issue](https://github.com/Serial-ATA/lofty-rs/issues/480))
     - **WavPack***: Fix panic when encountering zero-sized blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/473))
+    - **WavPack**: Verify the size of non-standard sample rate blocks ([issue](https://github.com/Serial-ATA/lofty-rs/issues/488))
     - **MPEG**: Fix panic when APE tags are incorrectly sized ([issue](https://github.com/Serial-ATA/lofty-rs/issues/474))
     - **MPEG**: Fix panic when calculating the stream length for files with improperly sized frames ([issue](https://github.com/Serial-ATA/lofty-rs/issues/487))
     - **ID3v2**: Fix panic when parsing non-ASCII `TDAT` and `TIME` frames in `TDRC` conversion ([issue](https://github.com/Serial-ATA/lofty-rs/issues/477))
diff --git a/lofty/src/wavpack/properties.rs b/lofty/src/wavpack/properties.rs
index ff9c9502d..9105415c7 100644
--- a/lofty/src/wavpack/properties.rs
+++ b/lofty/src/wavpack/properties.rs
@@ -333,6 +333,10 @@ fn get_extended_meta_info(
 
 		match id & 0x3F {
 			ID_NON_STANDARD_SAMPLE_RATE => {
+				if size < 3 {
+					decode_err!(@BAIL WavPack, "Encountered an invalid block size for non-standard sample rate");
+				}
+
 				properties.sample_rate = reader.read_u24::<LittleEndian>()?;
 				size -= 3;
 			},
diff --git a/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized b/lofty/tests/fuzz/assets/wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized
new file mode 100644
index 0000000000000000000000000000000000000000..34f347558f53099688b5409f53c44e103957e1d1
GIT binary patch
literal 2102
zcmXRfE6CR4U|?`f%Vl6_XlR@@ar(3=>Jz&<TAS+gt)i<_it`jKO%&EKFoX_r5J-mm
zM2QDvm=4s!00fbdk&L*&|IMwFI_nu2Q02e>L**06vnNs=QOdMYRcWDe>BwuuZ5JzU
zslhEH;NU>mfxu(|0_hkkhkw*CWB3^+;NalkDtIuN=M%f&qG$Iv3w)`lvbj91y8p1z
z#{SYuYxBJ|N2{E6pDB*I%QWTow9su~+B+(<7rkDx^-Y`klth(vcm35Tb34j}eP@}o
zYN3mu3ztHZfJW0SEfGf`bZ~HF4Oqk~!onix>d4f=!NDQo$f3%j00dJ68ZgU>(9m=;
ziUmlt;wAsH<CSJ$@N_X_0V(0+3UTyt0y6$1fJk|{9<a<Iz1V?;F^Tk`EOr`kc>;fg
zH8kF6T)q;bmt_T4rz1y3v9HtB`-f9hEP75oka<=3RL0kq+pW*+>}Er+v&-M4>zDTa
zo%(f2d0FuB(p-%-!ACxPv%c``#fE*mg9<Yk1Q-~YgG&<gGQpImi!nIX7`c4I{CpW0
z`j0$5U3&r;dlk2S|IG5w_nQBeK@SwIKyW0~AHP#^%lbI_x*F?QTI!kNRD(z@2v&9d
v><bL(OQ$eh^myWV(cnVOQih|a^b8dKe>UiJSXse$q*;MEiGf2vFZ2ljXlPcb

literal 0
HcmV?d00001

diff --git a/lofty/tests/fuzz/wavpackfile_read_from.rs b/lofty/tests/fuzz/wavpackfile_read_from.rs
index c2b2376f8..fda138600 100644
--- a/lofty/tests/fuzz/wavpackfile_read_from.rs
+++ b/lofty/tests/fuzz/wavpackfile_read_from.rs
@@ -112,3 +112,11 @@ fn panic4() {
 	);
 	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
 }
+
+#[test_log::test]
+fn panic5() {
+	let mut reader = crate::get_reader(
+		"wavpackfile_read_from/crash-5f9ecf40152ed0dcb39eb66003ecca7d42d56bf3_minimized",
+	);
+	let _ = WavPackFile::read_from(&mut reader, ParseOptions::default());
+}