/image-png

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unbounded memory consumption on malformed inputs #80

Closed
Shnatsel opened this Issue Jun 27, 2018 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@Shnatsel @newpavlov
@Shnatsel
Copy link
Contributor

Shnatsel commented Jun 27, 2018
edited

There is an integer overflow in

image-png/src/decoder/mod.rs

Line 51 in 9938365

self.line_size * self.height as usize

Aside of posing dangers for unsafe code (which shouldn't rely on this value anyway), this overflow causes enormous amounts of memory to be actually allocated when fed to png crate via the fuzzing harness. Not just virtual memory - actual physical memory.

The worst part is, fixing this correctly requires changing the external API: the function should use checked_mul() which returns Option<usize>, and actually return either an Option or Result to the outside.

Testcase: integer_overflow_in_multiplication found via afl-rs. Steps to reproduce the crash can be found in #79 except you need to build in debug mode, without the --release flag.

I would appreciate advice on how to proceed with fixing this issue. Is adding "deprecated" marker to this function in 0.12 series and releasing 0.13 with a breaking fix appropriate? Do we need the semver trick here?

Update: libpng itself also had similar issues; see https://libpng.sourceforge.io/decompression_bombs.html for more info. Among other things, they have introduced limits on the possible size of an image by default. In Rust we can easily allow the API user to override these limits via the builder pattern.

Shnatsel added a commit to Shnatsel/image-png that referenced this issue Jun 27, 2018

@Shnatsel
Add Address Sanitizer exceptions to fuzzing targets, see PistonDevelo… 
…pers#80 and rust-lang/rust#41807
5c60ae1

@Shnatsel Shnatsel referenced this issue Jun 27, 2018

Closed

Panic on malformed input #79

@Shnatsel Shnatsel changed the title Integer overflow in buffer_size() Huge memory consumption on malformed inputs Jun 27, 2018

@Shnatsel

This comment has been minimized.

Sign in to view
Copy link
Contributor

Shnatsel commented Jun 27, 2018

It is also possible that the overflow is not to blame, and is merely a side effect of incorrect handling of malformed files.

@Shnatsel Shnatsel changed the title Huge memory consumption on malformed inputs Unbounded memory consumption on malformed inputs Jun 27, 2018

Shnatsel added a commit to Shnatsel/image-png that referenced this issue Jun 27, 2018

@Shnatsel
Drop workaround for issue PistonDevelopers#80; it does not let us esc… 
…ape crashes anyway.
724ae3c

This was referenced Jun 27, 2018

Merged
Closed
@newpavlov

This comment has been minimized.

Sign in to view
Copy link

newpavlov commented Aug 29, 2018

I think good solution will be to add Limits struct and check against it, as for example was done in flif crate

zealousidealroll pushed a commit to zealousidealroll/image-png that referenced this issue Sep 1, 2018

@notriddle
Limit decoded images to 2^26 pixels by default 
Fixes PistonDevelopers#80
5b3b6ea

@zealousidealroll zealousidealroll referenced this issue Sep 1, 2018

Merged

Limit decoded images to 2^26 pixels by default #82

zealousidealroll added a commit to zealousidealroll/image-png that referenced this issue Sep 6, 2018

@zealousidealroll
Limit decoded images to 2^26 pixels by default 
Fixes PistonDevelopers#80
a7d1af1

@bvssvni bvssvni closed this in #82 Oct 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment