Out of range in id3

[nyw0102]

When I was using "id3-image" crate which uses "id3" as its dependencies, the out of range error occurs in the code region in this program.

Version

latest

Description

There is an out of range bug in "remove_images" function caused by function "<id3::storage::PlainWriter as std::io::Write>::flush::h5825e0757764ba15". When the size of id3v2 region is big enough, the function reaches out of range bug.

Current Behavior

range start index 65556 out of range for slice of length 65536
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at /home/nyw0102/.cargo/registry/src/index.crates.io-6f17d22bba15001f/id3-1.5.1/src/storage.rs:233:48:
range start index 65556 out of range for slice of length 65536
stack backtrace:
   0:     0x55bd8ed7042a - std::backtrace_rs::backtrace::libunwind::trace::ha6eb751904719f40
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
   1:     0x55bd8ed7042a - std::backtrace_rs::backtrace::trace_unsynchronized::h837c6ccf82d7781c
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x55bd8ed7042a - std::sys::backtrace::_print_fmt::h62d3c25953982b4e
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/sys/backtrace.rs:66:9
   3:     0x55bd8ed7042a - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h9d42d62719d070d7
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/sys/backtrace.rs:39:26
   4:     0x55bd8ed93c63 - core::fmt::rt::Argument::fmt::h93e0c3eea084fbfa
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/fmt/rt.rs:177:76
   5:     0x55bd8ed93c63 - core::fmt::write::he7a421eb4c9a9d75
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/fmt/mod.rs:1186:21
   6:     0x55bd8ed6d213 - std::io::Write::write_fmt::h567af23beaa18959
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/io/mod.rs:1839:15
   7:     0x55bd8ed70272 - std::sys::backtrace::BacktraceLock::print::h0f6e88707316b8f0
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/sys/backtrace.rs:42:9
   8:     0x55bd8ed7121c - std::panicking::default_hook::{{closure}}::h51c0a9b7a1b27603
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:268:22
   9:     0x55bd8ed71062 - std::panicking::default_hook::h97535dc250d97546
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:295:9
  10:     0x55bd8ed717f7 - std::panicking::rust_panic_with_hook::h43f7938156b6bea8
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:801:13
  11:     0x55bd8ed7168a - std::panicking::begin_panic_handler::{{closure}}::hdd2070c285bd1cc7
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:674:13
  12:     0x55bd8ed70909 - std::sys::backtrace::__rust_end_short_backtrace::hfdc9b232972de0bd
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/sys/backtrace.rs:170:18
  13:     0x55bd8ed7131c - rust_begin_unwind
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:665:5
  14:     0x55bd8e34d580 - core::panicking::panic_fmt::h283601b5555cf015
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/panicking.rs:74:14
  15:     0x55bd8e34dab7 - core::slice::index::slice_start_index_len_fail_rt::hd1f5c0dc410619f0
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/slice/index.rs:43:5
  16:     0x55bd8e34dab7 - core::slice::index::slice_start_index_len_fail::h4ceed9dc3ff22724
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/slice/index.rs:37:5
  17:     0x55bd8e9b5b8d - <core::ops::range::RangeFrom<usize> as core::slice::index::SliceIndex<[T]>>::index_mut::h99a93e5225b9d350
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/slice/index.rs:598:13
  18:     0x55bd8e919689 - core::slice::index::<impl core::ops::index::IndexMut<I> for [T]>::index_mut::h5cf126733ba6b8f3
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/slice/index.rs:27:9
  19:     0x55bd8e919689 - core::array::<impl core::ops::index::IndexMut<I> for [T; N]>::index_mut::h3e58dd77429eaa83
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/array/mod.rs:386:9
  20:     0x55bd8e464218 - <id3::storage::PlainWriter<F> as std::io::Write>::flush::h5825e0757764ba15
                               at /home/nyw0102/.cargo/registry/src/index.crates.io-6f17d22bba15001f/id3-1.5.1/src/storage.rs:233:48
  21:     0x55bd8e46e0d6 - <id3::storage::PlainWriter<F> as core::ops::drop::Drop>::drop::hf59b49917a501c01
                               at /home/nyw0102/.cargo/registry/src/index.crates.io-6f17d22bba15001f/id3-1.5.1/src/storage.rs:275:17
  22:     0x55bd8e44d618 - core::ptr::drop_in_place<id3::storage::PlainWriter<std::fs::File>>::he391320ecb98a9c3
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/ptr/mod.rs:574:1
  23:     0x55bd8e410f1e - id3::tag::Tag::write_to_path::h591457bb69e81897
                               at /home/nyw0102/.cargo/registry/src/index.crates.io-6f17d22bba15001f/id3-1.5.1/src/tag.rs:219:5
  24:     0x55bd8e47229d - id3_image::remove_images::h55ee1c869658d101
                               at /home/nyw0102/FoundBugs/id3-image/src/lib.rs:74:5
  25:     0x55bd8e408126 - id3_image_remove::main::hd8c73b7e1f06689b
                               at /home/nyw0102/FoundBugs/id3-image/src/bin/id3-image-remove.rs:52:21
  26:     0x55bd8e404b0f - core::ops::function::FnOnce::call_once::h376c7d952ecdb15d
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/ops/function.rs:250:5
  27:     0x55bd8e4036b4 - std::sys::backtrace::__rust_begin_short_backtrace::he882625a213aeba6
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/sys/backtrace.rs:154:18
  28:     0x55bd8e4035bd - std::rt::lang_start::{{closure}}::h9fa6d9326c263b99
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/rt.rs:195:18
  29:     0x55bd8ed68a7e - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h1043265cd580ed94
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/core/src/ops/function.rs:284:13
  30:     0x55bd8ed68a7e - std::panicking::try::do_call::hb5c29842f49b5948
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:557:40
  31:     0x55bd8ed68a7e - std::panicking::try::h04f863188af5f3b4
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:520:19
  32:     0x55bd8ed68a7e - std::panic::catch_unwind::h72fdd0df4ae3366f
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panic.rs:358:14
  33:     0x55bd8ed68a7e - std::rt::lang_start_internal::{{closure}}::h7414bcd7e2ab39f1
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/rt.rs:174:48
  34:     0x55bd8ed68a7e - std::panicking::try::do_call::h38b2c552d6579f14
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:557:40
  35:     0x55bd8ed68a7e - std::panicking::try::h739c9016fd0bbae4
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panicking.rs:520:19
  36:     0x55bd8ed68a7e - std::panic::catch_unwind::h3c0759403b79e69b
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/panic.rs:358:14
  37:     0x55bd8ed68a7e - std::rt::lang_start_internal::hcb6e57c5b744c08d
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/rt.rs:174:20
  38:     0x55bd8e4033a0 - std::rt::lang_start::h33e047502e25b94c
                               at /rustc/9322d183f45e0fd5a509820874cc5ff27744a479/library/std/src/rt.rs:194:17
  39:     0x55bd8e40a8ac - main
  40:     0x150dc5738d90 - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  41:     0x150dc5738e40 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:392:3
  42:     0x55bd8e34dfb5 - _start
  43:                0x0 - <unknown>
thread 'main' panicked at core/src/panicking.rs:229:5:
panic in a destructor during cleanup
thread caused non-unwinding panic. aborting.
Aborted

Expected Behavior

Memory safety code with no out of range bug.

How to reproduce

Here is the code to reproduce:

    let tag = ::id3::Tag::read_from_path("crash_input-2.mp3").unwrap();

    tag.write_to_path("crash_input-2.mp3", ::id3::Version::Id3v23).unwrap();
}

crash input files:

crash_input-1.txt

crash_input-2.txt

Extra Comments

There is an conversation between me and the maintainer of "id3-image". Here is the link:

https://github.com/AndrewRadev/id3-image/issues/3#issuecomment-2654694479

[polyfloyd]

Thanks for reporting this!

Your id3 version is a bit old, but I can still reproduce your issue. I'll see if I have some time to address this soon.

If you or anyone else wants to have a crack at this, I pushed your crash code to the issue-156 branch.

[nyw0102]

Thank your for your consideration! I'll also take this issue into account and pushed a crack if I found a solution.