Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic on malformed input: Index out of range in Decoder::expand_strip #28

Closed
Shnatsel opened this issue Feb 27, 2019 · 2 comments · Fixed by #32
Closed

Panic on malformed input: Index out of range in Decoder::expand_strip #28

Shnatsel opened this issue Feb 27, 2019 · 2 comments · Fixed by #32

Comments

@Shnatsel
Copy link

Shnatsel commented Feb 27, 2019
edited

Feed one of the attached sample files to the standard input of the following code to trigger a panic:

extern crate afl;
extern crate tiff;

use tiff::decoder::{Decoder};
use std::io::Cursor;

fn main() {
    afl::read_stdio_bytes(|data| {
        let cursor = Cursor::new(&data);
        if let Ok(mut decoder) = Decoder::new(cursor) {
            decoder.read_image();
        }
    });
}

Samples triggering the panic: tiff-oor-panics.zip

Backtrace:

thread 'main' panicked at 'index 884062630 out of range for slice of length 23707', src/libcore/slice/mod.rs:2349:5
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at src/libstd/sys_common/backtrace.rs:59
             at src/libstd/panicking.rs:211
   3: std::panicking::default_hook
             at src/libstd/panicking.rs:227
   4: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:491
   5: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:398
   6: rust_begin_unwind
             at src/libstd/panicking.rs:325
   7: core::panicking::panic_fmt
             at src/libcore/panicking.rs:95
   8: core::slice::slice_index_len_fail
             at src/libcore/slice/mod.rs:2349
   9: <tiff::decoder::Decoder<R>>::expand_strip
  10: <tiff::decoder::Decoder<R>>::read_image
  11: std::panicking::try::do_call
  12: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:102
  13: afl::read_stdio_bytes
  14: std::rt::lang_start::{{closure}}
  15: std::panicking::try::do_call
             at src/libstd/rt.rs:59
             at src/libstd/panicking.rs:310
  16: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:102
  17: std::rt::lang_start_internal
             at src/libstd/panicking.rs:289
             at src/libstd/panic.rs:398
             at src/libstd/rt.rs:58
  18: main
  19: __libc_start_main
  20: _start
Aborted

Found with AFL.rs. Tested on version 0.2.2
This was referenced Feb 27, 2019
Closed
Closed
@birktj
Copy link
Member

birktj commented Feb 27, 2019

@Shnatsel, would it be acceptable if I took the samples you posted and added those as tests to the library?

@Shnatsel
Copy link
Author

Yes, absolutely. These are obtained by an automated tool run by me, so I'm the copyright holder. I hereby release them under the MIT license.

birktj added a commit to birktj/image-tiff that referenced this issue Feb 28, 2019
@birktj
Add tests from fuzzing
95b153c 
Add test from fuzzing samples in image-rs#28, image-rs#29 and image-rs#31
@birktj birktj mentioned this issue Feb 28, 2019
Merged
@Shnatsel Shnatsel mentioned this issue Feb 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bugs, compiler warnings and add tests birktj/image-tiff
2 participants
@Shnatsel @birktj