From c036944b93ed8f96701d39b3a76392d30fc12d19 Mon Sep 17 00:00:00 2001
From: Ruud van Asseldonk <dev@veniogames.com>
Date: Wed, 22 Feb 2017 23:22:03 +0100
Subject: [PATCH] Report format error for small application blocks

If the application block is smaller than 4 bytes, this is invalid
(because the id is 4 bytes already), but we tried to read (length - 4)
bytes anyway. This computation could overflow, so the library would try
to read nearly 2^64 bytes (or 2^32 on 32-bit architectures), instead of
a small number. Now a proper format error is returned.

This issue was found using libfuzzer and cargo-fuzz.
---
 src/metadata.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/metadata.rs b/src/metadata.rs
index a4b9a8a..2bc199c 100644
--- a/src/metadata.rs
+++ b/src/metadata.rs
@@ -261,6 +261,10 @@ fn read_padding_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<()> {
 }
 
 fn read_application_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<(u32, Vec<u8>)> {
+    if length < 4 {
+        return fmt_err("application block length must be at least 4 bytes.")
+    }
+
     let id = try!(input.read_be_u32());
 
     // Four bytes of the block have been used for the ID, the rest is payload.