image icon indicating copy to clipboard operation
image copied to clipboard

panicked at 'attempt to multiply with overflow'

Open charlesxsh opened this issue 2 years ago • 1 comments

This happens in image-rs 0.24.2

Expected

return error properly instead of panic

Actual behaviour

thread 'main' panicked at 'attempt to multiply with overflow', /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/./src/codecs/pnm/decoder.rs:651:39
stack backtrace:
   0: rust_begin_unwind
             at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/std/src/panicking.rs:584:5
   1: core::panicking::panic_fmt
             at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/panicking.rs:142:14
   2: core::panicking::panic
             at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/panicking.rs:48:5
   3: image::codecs::pnm::decoder::PnmDecoder<R>::read_samples
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/codecs/pnm/decoder.rs:651:39
   4: <image::codecs::pnm::decoder::PnmDecoder<R> as image::image::ImageDecoder>::read_image
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/codecs/pnm/decoder.rs:623:33
   5: image::image::decoder_to_vec
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/image.rs:585:5
   6: image::dynimage::decoder_to_image
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1015:23
   7: image::dynimage::DynamicImage::from_decoder
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:175:9
   8: <image::io::free_functions::load_inner::LoadVisitor as image::io::free_functions::DecoderVisitor>::visit_decoder
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:106:13
   9: image::io::free_functions::load_decoder
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:78:36
  10: image::io::free_functions::load_inner
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:110:5
  11: image::io::free_functions::load
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:37:5
  12: image::dynimage::load_from_memory_with_format
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1211:5
  13: image::dynimage::load_from_memory
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1196:5
  14: imagebug::main
             at ./main.rs:4:13
  15: core::ops::function::FnOnce::call_once
             at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/ops/function.rs:248:5

Reproduction steps

in.zip

there is an input file in this zip

let _ = image::load_from_memory(&std::fs::read("in").unwrap());
$ RUST_BACKTRACE=1 cargo run

charlesxsh avatar Jun 15 '22 18:06 charlesxsh

I was able to reproduce the same crash also in image-rs 0.24.2

thread 'main' panicked at 'attempt to multiply with overflow', /home/mkatouh/compdiff-rust/targets/image/src/image/./src/codecs/pnm/decoder.rs:651:39
stack backtrace:
   0:     0x55efda9a58ad - std::backtrace_rs::backtrace::libunwind::trace::h22893a5306c091b4
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
   1:     0x55efda9a58ad - std::backtrace_rs::backtrace::trace_unsynchronized::h29c3bc6f9e91819d
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x55efda9a58ad - std::sys_common::backtrace::_print_fmt::he497d8a0ec903793
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:66:5
   3:     0x55efda9a58ad - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h9c2a9d2774d81873
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:45:22
   4:     0x55efda9c404c - core::fmt::write::hba4337c43d992f49
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/fmt/mod.rs:1194:17
   5:     0x55efda9a3ad1 - std::io::Write::write_fmt::heb73de6e02cfabed
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/io/mod.rs:1655:15
   6:     0x55efda9a7055 - std::sys_common::backtrace::_print::h63c8b24acdd8e8ce
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:48:5
   7:     0x55efda9a7055 - std::sys_common::backtrace::print::h426700d6240cdcc2
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:35:9
   8:     0x55efda9a7055 - std::panicking::default_hook::{{closure}}::hc9a76eed0b18f82b
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:295:22
   9:     0x55efda9a6d09 - std::panicking::default_hook::h2e88d02087fae196
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:314:9
  10:     0x55efda9a75b2 - std::panicking::rust_panic_with_hook::habfdcc2e90f9fd4c
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:698:17
  11:     0x55efda9a7459 - std::panicking::begin_panic_handler::{{closure}}::he054b2a83a51d2cd
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:586:13
  12:     0x55efda9a5d64 - std::sys_common::backtrace::__rust_end_short_backtrace::ha48b94ab49b30915
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:138:18
  13:     0x55efda9a71c9 - rust_begin_unwind
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:584:5
  14:     0x55efda97a5d3 - core::panicking::panic_fmt::h366d3a309ae17c94
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:143:14
  15:     0x55efda97a49d - core::panicking::panic::h8705e81f284be8a5
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:48:5
  16:     0x55efda97ed12 - image::codecs::pnm::decoder::PnmDecoder<R>::read_samples::h503cd02f3c24bfd7
  17:     0x55efda97f3bd - <image::codecs::pnm::decoder::PnmDecoder<R> as image::image::ImageDecoder>::read_image::h1ef3586ae7e3b3c7
  18:     0x55efda97d846 - image::image::decoder_to_vec::h640ebd496c64529b
  19:     0x55efda982fc5 - reproduce_pnm::main::h70106e292e8903e5
  20:     0x55efda97a952 - std::sys_common::backtrace::__rust_begin_short_backtrace::h3ce2386dd2c1c037
  21:     0x55efda97b958 - std::rt::lang_start::{{closure}}::hbb837cc3a1b9d87f
  22:     0x55efda9a04de - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::had4f69b3aefb47a8
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/ops/function.rs:259:13
  23:     0x55efda9a04de - std::panicking::try::do_call::hf2ad5355fcafe775
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:492:40
  24:     0x55efda9a04de - std::panicking::try::h0a63ac363423e61e
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:456:19
  25:     0x55efda9a04de - std::panic::catch_unwind::h18088edcecb8693a
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panic.rs:137:14
  26:     0x55efda9a04de - std::rt::lang_start_internal::{{closure}}::ha7dad166dc711761
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/rt.rs:128:48
  27:     0x55efda9a04de - std::panicking::try::do_call::hda0c61bf3a57d6e6
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:492:40
  28:     0x55efda9a04de - std::panicking::try::hbc940e68560040a9
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:456:19
  29:     0x55efda9a04de - std::panic::catch_unwind::haed0df2aeb3fa368
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panic.rs:137:14
  30:     0x55efda9a04de - std::rt::lang_start_internal::h9c06694362b5b80c
                               at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/rt.rs:128:20
  31:     0x55efda984e35 - main
  32:     0x7f1f74c87083 - __libc_start_main
  33:     0x55efda97a87e - _start
  34:                0x0 - <unknown>

This crash instance was reproduced after fuzzing the library, by navigating into the image directory and running ./fuzz-afl/target/debug/reproduce_pnm on the binary input:

crash1.zip

The same error can arise by also running the same command on the following binaries : crash2.zip crash3.zip crash4.zip

mkatouh avatar Jun 25 '22 11:06 mkatouh

I believe this is now fixed

fintelia avatar Mar 10 '24 22:03 fintelia