From ab42cb68f943213563609bd10c52fb43cdd0e261 Mon Sep 17 00:00:00 2001
From: Colin Murphy <colmurph@adobe.com>
Date: Wed, 11 Dec 2024 18:34:39 -0500
Subject: [PATCH] fix: Prevent negative length value for svg object locations

---
 sdk/src/asset_handlers/svg_io.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sdk/src/asset_handlers/svg_io.rs b/sdk/src/asset_handlers/svg_io.rs
index 73d647610..7a7fefcd9 100644
--- a/sdk/src/asset_handlers/svg_io.rs
+++ b/sdk/src/asset_handlers/svg_io.rs
@@ -549,7 +549,7 @@ impl CAIWriter for SvgIO {
         let end = manifest_pos + encoded_manifest_len;
         let length = usize::value_from(stream_len(input_stream)?)
             .map_err(|_err| Error::InvalidAsset("value out of range".to_string()))?
-            - end;
+            .saturating_sub(end);
         positions.push(HashObjectPositions {
             offset: end,
             length,
@@ -1003,4 +1003,13 @@ pub mod tests {
         assert_eq!(&extract_provenance(&xmp).unwrap(), test_data);
         println!("{xmp}");
     }
+
+    #[test]
+    fn test_crash_integer_underflow() {
+        let data = [0x22, 0x3c, 0x73, 0x76, 0x67];
+        let mut stream = Cursor::new(&data);
+        let svg_io = SvgIO::new("svg");
+
+        let _ = svg_io.get_object_locations_from_stream(&mut stream);
+    }
 }