data/reports: add vulnerable_at to GO-2021-0097.yaml

Aliases: CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245

Updates #97

Change-Id: I54ddcaae0d9e3be94eaa1998dce9c239a9746415
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465797
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tim King <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>

Author: tatianab

data/osv/GO-2021-0097.json

@@ -36,8 +36,12 @@
           {
             "path": "github.com/dhowden/tag",
             "symbols": [
+              "ReadAtoms",
+              "ReadDSFTags",
+              "ReadFrom",
+              "ReadID3v2Tags",
+              "metadataMP4.readAtomData",
               "readAPICFrame",
-              "readAtomData",
               "readPICFrame",
               "readTextWithDescrFrame"
             ]

data/reports/GO-2021-0097.yaml

@@ -2,14 +2,19 @@ modules:
   - module: github.com/dhowden/tag
     versions:
       - fixed: 0.0.0-20201120070457-d52dcb253c63
+    vulnerable_at: 0.0.0-20201119192538-6b18201aa5c5
     packages:
       - package: github.com/dhowden/tag
         symbols:
           - readPICFrame
           - readAPICFrame
           - readTextWithDescrFrame
-          - readAtomData
-        skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]'
+          - metadataMP4.readAtomData
+        derived_symbols:
+          - ReadAtoms
+          - ReadDSFTags
+          - ReadFrom
+          - ReadID3v2Tags
 description: |
     Due to improper bounds checking, a number of methods can trigger a panic due to attempted
     out-of-bounds reads. If the package is used to parse user supplied input, this may be