rust: fix int underflow when chunk wasn't closed (#1480)

### Changelog
<!-- Write a one-sentence summary of the user-impacting change (API,
UI/UX, performance, etc) that could appear in a changelog. Write "None"
if there is no user-facing change -->

- rust: fix int underflow on chunk with invalid size

### Docs

<!-- Link to a Docs PR, tracking ticket in Linear, OR write "None" if no
documentation changes are needed. -->

None

### Description

When a chunk doesn't close correctly (loss of power, crash, etc.) the
size that was written will be `u64::MAX`. If you try and read a file
like this with the Rust reader it breaks because the size of the chunk
is expected to be valid. In debug mode this will panic due to underflow,
in release mode this value will wrap and break something else down the
track.

This change explicitly uses checked calculations for the chunk size and
returns an `UnexpectedEoc` error if any of the calculations overflow.

Fixes #1479.
Fixes FIRE-202.

Author: bennetthardwick

rust/src/sans_io/linear_reader.rs

@@ -509,8 +509,15 @@ impl LinearReader {
                         &mut self.decompressors,
                         &header.compression
                     ));
+
+                    let chunk_data_len = check!(len
+                        .checked_sub(header_len as u64)
+                        .ok_or(McapError::UnexpectedEoc));
+
                     let padding_after_compressed_data = check!(check_len(
-                        len - (header_len as u64) - header.compressed_size,
+                        check!(chunk_data_len
+                            .checked_sub(header.compressed_size)
+                            .ok_or(McapError::UnexpectedEoc)),
                         self.options.record_length_limit
                     )
                     .ok_or(McapError::ChunkTooLarge(len)));
@@ -706,6 +713,7 @@ impl LinearReader {
 }
 
 /// Events emitted by the linear reader.
+#[derive(Debug)]
 pub enum LinearReadEvent<'a> {
     /// The reader needs more data to provide the next record. Call [`LinearReader::insert`] then
     /// [`LinearReader::notify_read`] to load more data. The value provided here is a hint for how
@@ -985,6 +993,7 @@ mod tests {
         );
         Ok(())
     }
+    use assert_matches::assert_matches;
     use paste::paste;
 
     macro_rules! test_chunked_parametrized {
@@ -1206,4 +1215,31 @@ mod tests {
         }
         assert_eq!(message_count, 12);
     }
+
+    #[test]
+    fn test_handles_failed_to_close_chunks() {
+        let mut f =
+            std::fs::File::open("tests/data/chunk_not_closed.mcap").expect("failed to open file");
+        let mut output = vec![];
+        f.read_to_end(&mut output).expect("failed to read");
+
+        let mut reader = LinearReader::new();
+        reader.insert(output.len()).copy_from_slice(&output[..]);
+        reader.notify_read(output.len());
+
+        // the first record is the header;
+        let next = reader
+            .next_event()
+            .expect("there should be one event")
+            .expect("first record should be header");
+
+        let LinearReadEvent::Record { opcode: 1, .. } = next else {
+            panic!("expected first record to be header");
+        };
+
+        let next = reader.next_event().expect("there should be one event");
+
+        // test fails with unexpected EOC because sizes are u64::max
+        assert_matches!(next, Err(McapError::UnexpectedEoc));
+    }
 }

rust/tests/data/chunk_not_closed.mcap

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7b49182be8db86f194a34617cab44720d50460d9caa7ec54cbcf5c19700b8578
+size 92