index out of bounds in webp

[alexanderkjall]

This happens in image::codecs::webp::lossless_transform::TransformType::apply_transform

Expected

A Result object

Actual behaviour

backtrace output:

thread 'main' panicked at 'index out of bounds: the len is 6040 but the index is 6040', /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/./src/codecs/webp/lossless_transform.rs:208:63
stack backtrace:
   0: rust_begin_unwind
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/std/src/panicking.rs:575:5
   1: core::panicking::panic_fmt
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/panicking.rs:64:14
   2: core::panicking::panic_bounds_check
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/panicking.rs:159:5
   3: <usize as core::slice::index::SliceIndex<[T]>>::index
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/slice/index.rs:260:10
   4: core::slice::index::<impl core::ops::index::Index<I> for [T]>::index
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/slice/index.rs:18:9
   5: <alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/vec/mod.rs:2732:9
   6: image::codecs::webp::lossless_transform::TransformType::apply_transform
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/codecs/webp/lossless_transform.rs:208:63
   7: image::codecs::webp::lossless::LosslessDecoder<R>::decode_frame
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/codecs/webp/lossless.rs:164:13
   8: image::codecs::webp::decoder::WebPDecoder<R>::read_frame
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/codecs/webp/decoder.rs:172:29
   9: image::codecs::webp::decoder::WebPDecoder<R>::read_data
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/codecs/webp/decoder.rs:193:21
  10: image::codecs::webp::decoder::WebPDecoder<R>::new
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/codecs/webp/decoder.rs:136:9
  11: image::io::free_functions::load_decoder
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/io/free_functions.rs:63:59
  12: image::io::free_functions::load_inner
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/io/free_functions.rs:113:5
  13: image::io::free_functions::load
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/io/free_functions.rs:37:5
  14: image::dynimage::load_from_memory_with_format
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/dynimage.rs:1215:5
  15: image::dynimage::load_from_memory
             at /home/capitol/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.6/src/dynimage.rs:1200:5
  16: image_reproduce::main
             at ./src/main.rs:47:13
  17: core::ops::function::FnOnce::call_once
             at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/ops/function.rs:250:5

Reproduction steps

fn main() {
    let data = vec![0x52, 0x49, 0x46, 0x46, 0xae, 0x37, 0x80, 0x01, 0x57, 0x45, 0x42, 0x50,
  0x56, 0x50, 0x38, 0x4c, 0x20, 0x00, 0xce, 0x2f, 0x2f, 0x2f, 0x2f, 0x00,
  0x00, 0x37, 0x30, 0x01, 0xff, 0xff, 0x3e, 0x46, 0xff, 0xff, 0xff, 0x2b,
  0x46, 0x46, 0x46, 0x46, 0x25, 0x46, 0x46, 0x46, 0x46, 0x46, 0x46, 0x46,
  0x46, 0xb5, 0x46, 0x46, 0x76, 0x87, 0x7a, 0x56, 0x44, 0xa1, 0xfc, 0x24,
  0x12, 0xb3, 0xbb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x99, 0xff, 0xff,
  0x00, 0x00, 0x00, 0x00, 0xe0, 0xef, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c,
  0xff, 0xfd, 0xf2, 0xeb, 0xac, 0xf6, 0x23, 0x7b, 0xae, 0x46, 0x46, 0x46,
  0x46, 0x46, 0x46, 0x46, 0x46, 0xa5, 0xfa, 0xff, 0xff, 0x46, 0x46, 0x46,
  0x46, 0x46, 0x46, 0x46, 0x46, 0x46, 0xf9, 0xff, 0xff, 0x61, 0xfe, 0x7c,
  0xd8, 0xff, 0xff, 0xfd, 0x00, 0x20, 0x00, 0x00, 0x00, 0xff, 0x00, 0xd6,
  0xff, 0xff, 0xfe, 0xeb, 0xfc, 0x05, 0x00, 0x00, 0x00, 0xf7, 0xe4, 0x11,
  0xff, 0xff, 0xa0, 0x4a, 0x00, 0x00, 0x00, 0x76, 0xfe, 0xff, 0xff, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0xff, 0xff,
  0xfd, 0x78, 0x00, 0x00, 0xff, 0xff, 0xc7, 0xdc, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x55, 0xac, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0xff, 0xff, 0xd9, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x48, 0x03, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x54, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0xe2, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x32, 0x31,
  0xff];

    let _ = image::load_from_memory(&data);
}

[Shnatsel]

This is fixed in the next-version-0.25 branch that switches to the image-webp crate for WebP decoding.