Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add with overflow when decoding a malformed png image #14

Closed
nagisa opened this issue Feb 24, 2017 · 1 comment
Closed

Add with overflow when decoding a malformed png image #14

nagisa opened this issue Feb 24, 2017 · 1 comment

Comments

@nagisa
Copy link

nagisa commented Feb 24, 2017 

thread 'main' panicked at 'attempt to add with overflow', /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:212
stack backtrace:
   1:     0x55dad0825b99 - std::sys::imp::backtrace::tracing::imp::write::hbb14611794d3841b
                        at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x55dad0827eae - std::panicking::default_hook::{{closure}}::h6ed906c7818ac88c
                        at /checkout/src/libstd/panicking.rs:351
   3:     0x55dad0827ab4 - std::panicking::default_hook::h23eeafbf7c1c05c3
                        at /checkout/src/libstd/panicking.rs:367
   4:     0x55dad082824b - std::panicking::rust_panic_with_hook::hd0067971b6d1240e
                        at /checkout/src/libstd/panicking.rs:545
   5:     0x55dad08280d4 - std::panicking::begin_panic::h1fd1f10a3de8f902
                        at /checkout/src/libstd/panicking.rs:507
   6:     0x55dad0828049 - std::panicking::begin_panic_fmt::haa043917b5d6f21b
                        at /checkout/src/libstd/panicking.rs:491
   7:     0x55dad0827fd7 - rust_begin_unwind
                        at /checkout/src/libstd/panicking.rs:467
   8:     0x55dad084d78d - core::panicking::panic_fmt::he9c7f335d160b59d
                        at /checkout/src/libcore/panicking.rs:69
   9:     0x55dad084d6c4 - core::panicking::panic::hb790668694ff6b20
                        at /checkout/src/libcore/panicking.rs:49
  10:     0x55dad07c4024 - inflate::CodeLengthReader::new::h53e5af7e8ca9c556
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:233
  11:     0x55dad08019bd - inflate::InflateStream::next_state::h28da8dd0129b2847
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:829
  12:     0x55dad081f214 - inflate::InflateStream::update::h06f6fb8898500df7
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:948
  13:     0x55dad07b1e92 - png::decoder::stream::StreamingDecoder::next_state::h2e2e90d52596330a
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/stream.rs:362
  14:     0x55dad07afe54 - png::decoder::stream::StreamingDecoder::update::h6616d015ee7df0da
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/stream.rs:169
  15:     0x55dad079a914 - <png::decoder::ReadDecoder<R>>::decode_next::h8bf479b2bee839dc
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:109
  16:     0x55dad0796c77 - <png::decoder::Reader<R>>::next_raw_interlaced_row::h7d6705413b0ee451
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:428
  17:     0x55dad0795cda - <png::decoder::Reader<R>>::next_interlaced_row::h873e9164629faba8
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:254
  18:     0x55dad0797d8b - <png::decoder::Reader<R>>::next_row::he4e756b17566ee6e
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:238
  19:     0x55dad07952bd - <png::decoder::Reader<R>>::next_frame::h9d9d7be827052a5f
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:229
  20:     0x55dad079f5b4 - <image::png::PNGDecoder<R> as image::image::ImageDecoder>::read_image::h5ea193ed42802e94
                        at /home/nagisa/Documents/rust/image/src/png.rs:84
  21:     0x55dad079ffd0 - overallocbmp::main::ha9648ec80c314f37
                        at /home/nagisa/Documents/rust/image/examples/overallocbmp.rs:7
  22:     0x55dad082ed2a - __rust_maybe_catch_panic
                        at /checkout/src/libpanic_unwind/lib.rs:98
  23:     0x55dad0828796 - std::rt::lang_start::hb7fc7ec87b663023
                        at /checkout/src/libstd/panicking.rs:429
                        at /checkout/src/libstd/panic.rs:361
                        at /checkout/src/libstd/rt.rs:57
  24:     0x55dad07a00a2 - main
  25:     0x7f0adf9ec290 - __libc_start_main
  26:     0x55dad07939b9 - _start
  27:                0x0 - <unknown>

The base64 of png image:

iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAABGdBTUEAALGPC/xhBQAAAAZiS0dE
AP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+ECGBI3Kqq/UGsAAAAdaVRY
dENvbW1lbnQAAAAAAENyZWF0ZWQgd2l0aCBHSU1QZC5lBwAADCtJREFUSA206P/z3/OJUE5HDQoa
CgAAAA1JSERSAAAAIAAAACAIAgAAAPwY7aMAAAANSUhEAAAAAAAAAAAAUgAAACAAAAAgCAIAAAD8
GO2jAAAABGZkTUEAALGPC/xhBQAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSPULCPX1AAAAAAAAAAAA
AAAAAElNRQfhAhgSNyqqv1BrAAAAHWl0aCBHSU1QAAAAAAAAAGQuAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAiVBORw0KGgoAAAANSUhEUgAAACAAAAAg
CAIAAAD8GO2jAAAABGdBTUEAALGJUE5HDQoaCgAAAA1JSERSAAAAIAAAACAIAgAAAQYY7aMAAAAE
Z0FNQQAAsY8L/GEFAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI9fX19fX19fX19fX19fX19fX19fVZ
iVBORw0KGgoAAAANSUhEUgAAAHMAAAsTAAALEwEAmpwYAAAAB3QgAAAAIAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASU1FB+EC
GBI3Kqq/UGsAAAAdaVRYdENvbW1lbnQAAAAAAENyZWF0ZWQgd2l0aCBHSU1QAAAAAAAAAGQuAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgQAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkLgAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAIlQTkcNChoKAAAADUlIRFIAAAAgAAAAIAgD
AAAA/BjtowAAAARnQU1BAACxjwv8YQUAAAAGYktHRAD/AP8A/6C9p5MAAAAJcEj19fX19fX19fX1
9fX19fX19fX19VmJUE5HDQoaCgAAAA1JSERSAAAAcwAACxMAAAsTAQCanBgAAAAHdCAAAAAgAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMBAJqcGAAAAAd0IAAAACAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAElNRQfhAhgSNyqqv1BrAAAAHWlUWHRDb21tZW50AAAAAABDcmVhdAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAMAAA=

Example test:

extern crate image;

use image::ImageDecoder;

fn main() {
    let f = ::std::fs::File::open("inflate.png").unwrap();
    let x = image::png::PNGDecoder::new(f).read_image();
}

Must be compiled without optimisations (might also reproduce with -C debug-assertions)
@Manishearth
Copy link

cc @pnkfelix

@oyvindln oyvindln mentioned this issue Mar 4, 2017
Merged
@eddyb eddyb closed this as completed in #15 Mar 4, 2017
eddyb pushed a commit that referenced this issue Mar 4, 2017
@oyvindln @eddyb
Fix overflow bug on bogus code lengths (#15)
fa0bed1 
* Fix overflow on bogus code lengths

Fixes #14

* Try to fix 1.0 compitibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nagisa @Manishearth