Panic on overflow in subtraction

[Manishearth]

Found by cargo-fuzz by @frewsxcv

extern crate quick_xml;

use quick_xml::reader::Reader;
use std::io::Cursor;
fn main() {
    let data : &[u8] = b"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n(\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00<>\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00<<\x00\x00\x00";
    let cursor = Cursor::new(data);
    let mut reader = Reader::from_reader(cursor);
    let mut buf = vec![];
    loop {
        match reader.read_event(&mut buf) {
            Ok(quick_xml::events::Event::Eof) | Err(..) => break,
            _ => buf.clear(),
        }
    }
}

🐇 RUST_BACKTRACE=1 ../target/debug/read_xml
thread 'main' panicked at 'attempt to subtract with overflow', /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:368
stack backtrace:
   1:     0x560c727f24b9 - std::sys::imp::backtrace::tracing::imp::write::hbb14611794d3841b
                        at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x560c727f44ce - std::panicking::default_hook::{{closure}}::h6ed906c7818ac88c
                        at /checkout/src/libstd/panicking.rs:351
   3:     0x560c727f40d4 - std::panicking::default_hook::h23eeafbf7c1c05c3
                        at /checkout/src/libstd/panicking.rs:367
   4:     0x560c727f48cb - std::panicking::rust_panic_with_hook::hd0067971b6d1240e
                        at /checkout/src/libstd/panicking.rs:545
   5:     0x560c727f4754 - std::panicking::begin_panic::h1fd1f10a3de8f902
                        at /checkout/src/libstd/panicking.rs:507
   6:     0x560c727f46c9 - std::panicking::begin_panic_fmt::haa043917b5d6f21b
                        at /checkout/src/libstd/panicking.rs:491
   7:     0x560c727f4657 - rust_begin_unwind
                        at /checkout/src/libstd/panicking.rs:467
   8:     0x560c72819c5d - core::panicking::panic_fmt::he9c7f335d160b59d
                        at /checkout/src/libcore/panicking.rs:69
   9:     0x560c72819b94 - core::panicking::panic::hb790668694ff6b20
                        at /checkout/src/libcore/panicking.rs:49
  10:     0x560c727c56d1 - <quick_xml::reader::Reader<B>>::read_start::h4ca5c41cb76479cf
                        at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:368
  11:     0x560c727c6635 - <quick_xml::reader::Reader<B>>::read_until_close::hfbfc33da61c25d63
                        at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:209
  12:     0x560c727c4fe7 - <quick_xml::reader::Reader<B>>::read_event::h44d5632c6f14e52c
                        at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:393
  13:     0x560c727d1729 - read_xml::main::h4120cc96af0987c8
                        at /home/manishearth/mozilla/fuzz/targets/quick-xml/read_xml.rs:12
  14:     0x560c727fb1fa - __rust_maybe_catch_panic
                        at /checkout/src/libpanic_unwind/lib.rs:98
  15:     0x560c727f4e16 - std::rt::lang_start::hb7fc7ec87b663023
                        at /checkout/src/libstd/panicking.rs:429
                        at /checkout/src/libstd/panic.rs:361
                        at /checkout/src/libstd/rt.rs:57
  16:     0x560c727d1852 - main
  17:     0x7fbb9807082f - __libc_start_main
  18:     0x560c727c2a58 - _start
  19:                0x0 - <unknown>

cc @pnkfelix

[tafia]

Thanks !!
I do not have time today but I'll have a look tomorrow.