Skip to content

attempt to subtract with overflow in mpeg/properties.rs #487

New issue
New issue
Closed
#489
Closed
attempt to subtract with overflow in mpeg/properties.rs#487
#489
Labels
bugSomething isn't working
Milestone
 
0.22.0
@qarmin

Description

@qarmin
qarmin
opened on Nov 20, 2024

Reproducer

I tried this code:

#![no_main]

use libfuzzer_sys::{fuzz_target, Corpus};
use lofty::file::AudioFile;
use lofty::file::{FileType, TaggedFileExt};
use lofty::probe::Probe;

const ALL_FILE_TYPES: &[FileType] = &[
    FileType::Aac,
    FileType::Aiff,
    FileType::Ape,
    FileType::Flac,
    FileType::Mpeg,
    FileType::Mp4,
    FileType::Mpc,
    FileType::Opus,
    FileType::Vorbis,
    FileType::Speex,
    FileType::Wav,
    FileType::WavPack,
];

fuzz_target!(|data: &[u8]| -> Corpus {
    let mut corpus = Corpus::Reject;
    for i in ALL_FILE_TYPES {
        let s = std::io::Cursor::new(data);
        let tagged_file = match Probe::with_file_type(s, *i).read() {
            Ok(t) => t,
            Err(_e) => {
                continue;
            }
        };
        corpus = Corpus::Keep;
        tagged_file.properties();
        tagged_file.tags();
        tagged_file.primary_tag();
    }

    corpus
});

Summary

thread 'main' panicked at /home/runner/.cargo/git/checkouts/lofty-rs-f5e48f8219b271cf/440cae8/lofty/src/mpeg/properties.rs:215:19:
attempt to subtract with overflow
stack backtrace:
   0: rust_begin_unwind
             at /rustc/b8c8287a229cd79604aa84c25e1235fc78cd5f2e/library/std/src/panicking.rs:665:5
   1: core::panicking::panic_fmt
             at /rustc/b8c8287a229cd79604aa84c25e1235fc78cd5f2e/library/core/src/panicking.rs:75:14
   2: core::panicking::panic_const::panic_const_sub_overflow
             at /rustc/b8c8287a229cd79604aa84c25e1235fc78cd5f2e/library/core/src/panicking.rs:186:21
   3: lofty::mpeg::properties::read_properties
             at /home/runner/.cargo/git/checkouts/lofty-rs-f5e48f8219b271cf/440cae8/lofty/src/mpeg/properties.rs:215:19
   4: lofty::mpeg::read::read_from
             at /home/runner/.cargo/git/checkouts/lofty-rs-f5e48f8219b271cf/440cae8/lofty/src/mpeg/read.rs:204:3
   5: <lofty::mpeg::MpegFile as lofty::file::audio_file::AudioFile>::read_from
             at /home/runner/.cargo/git/checkouts/lofty-rs-f5e48f8219b271cf/440cae8/lofty/src/mpeg/mod.rs:17:10
   6: lofty::probe::Probe<R>::read
             at /home/runner/.cargo/git/checkouts/lofty-rs-f5e48f8219b271cf/440cae8/lofty/src/probe.rs:472:23
   7: lofty::check_file
             at /home/runner/work/Automated-Fuzzer/Automated-Fuzzer/src/crates/lofty/src/main.rs:42:33
   8: lofty::main
             at /home/runner/work/Automated-Fuzzer/Automated-Fuzzer/src/crates/lofty/src/main.rs:26:9
   9: core::ops::function::FnOnce::call_once
             at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

File - crash-625fdf469a07ca27b291122f8f95f6fce4458ad5_minimized.zip

Expected behavior

No response

Assets

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions