Image.Load throws ExecutionEngineException #839

Metalnem · 2019-02-20T11:08:46Z

Prerequisites

I have written a descriptive issue title
I have verified that I am running the latest version of ImageSharp
I have verified if the problem exist in both DEBUG and RELEASE mode
I have searched open and closed issues to ensure it has not already been reported

Description

Image.Load throws ExecutionEngineException when loading malformed JPG file. The stack trace looks almost the same as in the #827, which probably means the previous issue hasn't been fixed completely.

Steps to Reproduce

Run the following code snippet with the path variable containing the path to the file from the attached archive:

Image.Load(path);

SOS exception details:

Exception object: 000000018eb911f8
Exception type:   System.ExecutionEngineException
Message:          <none>
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80131506

Stack trace:

00007FFEE12723E0 00007fff785f923e [FaultingExceptionFrame: 00007ffee12723e0] 
00007FFEE1273850 000000011DC57772 SixLabors.ImageSharp.Formats.Jpeg.Components.Decoder.HuffmanTable..ctor(SixLabors.Memory.MemoryAllocator, System.ReadOnlySpan`1<Byte>, System.ReadOnlySpan`1<Byte>) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/Components/Decoder/HuffmanTable.cs @ 114]
00007FFEE12738E0 000000011DC56D55 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ProcessDefineHuffmanTablesMarker(Int32)
00007FFEE1274000 000000011DC51FF7 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ParseStream(System.IO.Stream, Boolean) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 313]
00007FFEE1274060 000000011DC51285 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 223]
00007FFEE1274080 000000011DC510D5 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoder.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoder.cs @ 25]
00007FFEE12740C0 000000011DC4E937 SixLabors.ImageSharp.Image.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream, SixLabors.ImageSharp.Configuration) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.Decode.cs @ 103]
00007FFEE1274120 000000011DC4E42C SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream, SixLabors.ImageSharp.Formats.IImageFormat ByRef) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromStream.cs @ 177]
00007FFEE1274190 000000011DC4E2CB SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, Byte[]) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromBytes.cs @ 123]

System Configuration

ImageSharp version: master - 8f3658d
Environment (Operating system, version and so on): Mac OS X 10.14
.NET Framework version: .NET Core 2.2.104

Found via SharpFuzz.

The text was updated successfully, but these errors were encountered:

antonfirsov · 2019-02-24T16:13:47Z

@Metalnem what is the simplest way to produce malformed input for a given format? Is my understanding correct that I need to learn afl-fuzz for this?

Metalnem · 2019-02-25T07:26:05Z

Yes, you will have to learn afl-fuzz for this. But that's relatively easy thing to do: I wrote a step-by-step tutorial on SharpFuzz installation and usage here. You can also find my ImageSharp fuzzing project here. If you have any troubles setting up SharpFuzz, or any additional questions, just send me an email and I'll assist you.

* Lazily derive the huffman tables. Fix SixLabors#839 * Lazy invoke fast table * Add performance tweaks to scan decoder. * Remove unneccessary classes.

br3aker · 2022-01-09T02:04:39Z

Note if this issue would come up again:

Attached image is malformed, weird things start at DHT (0xffc4) marker. Huffman values are malformed in a way huffman table building code was going out of bounds corrupting memory and CLR state which led to ExecutionEngineException. Runtime doesn't use this exception nowadays:

ExecutionEngineException previously indicated an unspecified fatal error in the runtime. The runtime no longer raises this exception so this type is obsolete.

So it's kind of unspottable without manual debugging.

This problem was fixed here: #1926

JimBobSquarePants added bug formats:jpeg labels Feb 20, 2019

JimBobSquarePants self-assigned this Feb 20, 2019

JimBobSquarePants added this to To Do in ImageSharp via automation Feb 20, 2019

JimBobSquarePants added this to the 1.0.0-rc1 milestone Feb 20, 2019

JimBobSquarePants added a commit that referenced this issue Feb 20, 2019

Lazily derive the huffman tables. Fix #839

f6a56b4

JimBobSquarePants closed this as completed in 617c77c Feb 23, 2019

ImageSharp automation moved this from To Do to Done Feb 23, 2019

br3aker mentioned this issue Jan 9, 2022

Jpeg HuffmanTable improvements #1926

Merged

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Image.Load throws ExecutionEngineException #839

Image.Load throws ExecutionEngineException #839

Metalnem commented Feb 20, 2019

antonfirsov commented Feb 24, 2019

Metalnem commented Feb 25, 2019

br3aker commented Jan 9, 2022 •

edited

Image.Load throws ExecutionEngineException #839

Image.Load throws ExecutionEngineException #839

Comments

Metalnem commented Feb 20, 2019

Prerequisites

Description

Steps to Reproduce

System Configuration

antonfirsov commented Feb 24, 2019

Metalnem commented Feb 25, 2019

br3aker commented Jan 9, 2022 • edited

br3aker commented Jan 9, 2022 •

edited