Panic in image::codecs::webp::extended::ExtendedImage::fill_buf

[anfedotoff]

Hi!
We were doing some fuzzing with our tool Sydr and libFuzzer. We caught a panic here. Here is the input file:
crash-fc828dea8b70f5c85b04de04779a9cc6c5ddafce.txt

Expected

Honestly, I don't know, but I think not to panic:).

Actual behaviour

thread '<unnamed>' panicked at 'source slice length (30000) does not match destination slice length (40000)', /image/./src/codecs/webp/extended.rs:462:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==21== ERROR: libFuzzer: deadly signal                                                                   
    #0 0x55eefd72b4b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55eeff4a8010 in fuzzer::PrintStackTrace() /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerUtil.cpp:210:38
    #2 0x55eeff4b790a in fuzzer::Fuzzer::CrashCallback() /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerLoop.cpp:233:18
    #3 0x55eeff4b790a in fuzzer::Fuzzer::CrashCallback() /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerLoop.cpp:228:6
    #4 0x7f86c2e3741f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #5 0x7f86c2b1f00a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #6 0x7f86c2b1f00a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3                                 
    #7 0x7f86c2afe858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7                                                                                                                                  
    #8 0x55eeff528ce6 in std::sys::unix::abort_internal::he27a37d61b2ed41a /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/sys/unix/mod.rs:293:14
    #9 0x55eefd69d2d6 in std::process::abort::hfcb96511de2eae1c /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/process.rs:2119:5
    #10 0x55eeff498b83 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h661ef488c66c237e /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/src/lib.rs:51:9
    #11 0x55eeff51debc in std::panicking::rust_panic_with_hook::ha5fcab7510d2c291 /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/panicking.rs:702:17
    #12 0x55eeff51dd16 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1916fdb5e93d55b3 /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/panicking.rs:588:13
    #13 0x55eeff51af3b in std::sys_common::backtrace::__rust_end_short_backtrace::h23fd3d7e6530fb89 /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/sys_common/backtrace.rs:138:18
    #14 0x55eeff51da31 in rust_begin_unwind /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/panicking.rs:584:5
    #15 0x55eefd69ea72 in core::panicking::panic_fmt::he089491c0abfaeea /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/core/src/panicking.rs:142:14
    #16 0x55eefd69ed11 in core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::copy_from_slice::len_mismatch_fail::hdd549d9d03b491aa /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/core/src/slice/mod.rs:3227:13
    #17 0x55eefe6ccf3c in image::codecs::webp::extended::ExtendedImage::fill_buf::h06f66a732fd77276 /image/src/codecs/webp/extended.rs
    #18 0x55eefdbe7fc3 in _$LT$image..codecs..webp..decoder..WebPDecoder$LT$R$GT$$u20$as$u20$image..image..ImageDecoder$GT$::read_image::hed959da4f4f1ad46 /image/./src/codecs/webp/decoder.rs:325:17
    #19 0x55eefda954b6 in image::image::decoder_to_vec::h40785b396f57b3a8 /image/./src/image.rs:587:5
    #20 0x55eefdb6901a in image::dynimage::decoder_to_image::hc8bfd366c02f592f /image/./src/dynimage.rs:1030:23
    #21 0x55eefd79960a in image::dynimage::DynamicImage::from_decoder::h5b1e654b8ef3493f /image/./src/dynimage.rs:175:9
    #22 0x55eefd79960a in _$LT$image..io..free_functions..load_inner..LoadVisitor$u20$as$u20$image..io..free_functions..DecoderVisitor$GT$::visit_decoder::h2b8c9837046d9a6c /image/./src/io/free_functions.rs:107:
13
    #23 0x55eefda84d63 in image::io::free_functions::load_decoder::h6b5212e0f6ad4050 /image/./src/io/free_functions.rs:62:37
    #24 0x55eefdc0074a in image::io::free_functions::load_inner::h12578ff94b489459 /image/./src/io/free_functions.rs:111:5
    #25 0x55eefdc0074a in image::io::free_functions::load::h9f61f6e91d8e0c52 /image/./src/io/free_functions.rs:37:5
    #26 0x55eefdc0074a in image::dynimage::load_from_memory_with_format::h82e7580a745813ee /image/fuzz/fuzzers/fuzzer_script_webp.rs:6:13
    #27 0x55eefdc0074a in rust_fuzzer_test_input /image/fuzz/fuzzers/fuzzer_script_webp.rs:6:13
    #28 0x55eeff498be7 in __rust_try libfuzzer_sys.8fd6e53f-cgu.0
    #29 0x55eeff498473 in std::panicking::try::h6c266d8655016d6a /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/panicking.rs:456:19
    #30 0x55eeff498473 in std::panic::catch_unwind::hd398871bcb2aad9c /rustc/7480389611f9d04bd34adf41a2b3029be4eb815e/library/std/src/panic.rs:137:14
    #31 0x55eeff498473 in LLVMFuzzerTestOneInput /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/src/lib.rs:25:22
    #32 0x55eeff4b7e4c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerLoop.cpp:611:17
    #33 0x55eeff49c269 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerDriver.cpp:324:21
    #34 0x55eeff4a6042 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerDriver.cpp:86
0:19
    #35 0x55eefd69ee46 in main /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libfuzzer-sys-0.3.5/libfuzzer/FuzzerMain.cpp:20:30
    #36 0x7f86c2b00082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 
    #37 0x55eefd69efed in _start (/fuzzer_script_webp+0xfa9fed) (BuildId: 5f3a64dd4f1a5e03f8ae96a9e9b4a0863fa91431)

Reproduction steps

$ cargo +nightly fuzz build
$ ./target/x86_64-unknown-linux-gnu/release/fuzzer_script_webp crash-fc828dea8b70f5c85b04de04779a9cc6c5ddafce.txt

[anfedotoff]

Seems, It is already opened #1712

[rparrett]

I tested this input and believe it was fixed by #1806