Report format error for small application blocks

ruuda · ruuda · commit c036944b93ed · 2017-02-22T23:22:03.000+01:00
If the application block is smaller than 4 bytes, this is invalid
(because the id is 4 bytes already), but we tried to read (length - 4)
bytes anyway. This computation could overflow, so the library would try
to read nearly 2^64 bytes (or 2^32 on 32-bit architectures), instead of
a small number. Now a proper format error is returned.

This issue was found using libfuzzer and cargo-fuzz.
diff --git a/src/metadata.rs b/src/metadata.rs
@@ -261,6 +261,10 @@ fn read_padding_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<()> {
 }
 
 fn read_application_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<(u32, Vec<u8>)> {
+    if length < 4 {
+        return fmt_err("application block length must be at least 4 bytes.")
+    }
+
     let id = try!(input.read_be_u32());
 
     // Four bytes of the block have been used for the ID, the rest is payload.

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,10 @@ fn read_padding_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<()> {`
`261`	`261`	`}`
`262`	`262`
`263`	`263`	`fn read_application_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<(u32, Vec<u8>)> {`
	`264`	`+ if length < 4 {`
	`265`	`+ return fmt_err("application block length must be at least 4 bytes.")`
	`266`	`+ }`
	`267`	`+`
`264`	`268`	`let id = try!(input.read_be_u32());`
`265`	`269`
`266`	`270`	`// Four bytes of the block have been used for the ID, the rest is payload.`