image
image copied to clipboard
panicked at 'attempt to multiply with overflow'
This happens in image-rs 0.24.2
Expected
return error properly instead of panic
Actual behaviour
thread 'main' panicked at 'attempt to multiply with overflow', /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/./src/codecs/pnm/decoder.rs:651:39
stack backtrace:
0: rust_begin_unwind
at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/panicking.rs:142:14
2: core::panicking::panic
at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/panicking.rs:48:5
3: image::codecs::pnm::decoder::PnmDecoder<R>::read_samples
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/codecs/pnm/decoder.rs:651:39
4: <image::codecs::pnm::decoder::PnmDecoder<R> as image::image::ImageDecoder>::read_image
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/codecs/pnm/decoder.rs:623:33
5: image::image::decoder_to_vec
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/image.rs:585:5
6: image::dynimage::decoder_to_image
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1015:23
7: image::dynimage::DynamicImage::from_decoder
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:175:9
8: <image::io::free_functions::load_inner::LoadVisitor as image::io::free_functions::DecoderVisitor>::visit_decoder
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:106:13
9: image::io::free_functions::load_decoder
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:78:36
10: image::io::free_functions::load_inner
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:110:5
11: image::io::free_functions::load
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/io/free_functions.rs:37:5
12: image::dynimage::load_from_memory_with_format
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1211:5
13: image::dynimage::load_from_memory
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.24.2/src/dynimage.rs:1196:5
14: imagebug::main
at ./main.rs:4:13
15: core::ops::function::FnOnce::call_once
at /rustc/546c826f0ccaab36e897860205281f490db274e6/library/core/src/ops/function.rs:248:5
Reproduction steps
there is an input file in this zip
let _ = image::load_from_memory(&std::fs::read("in").unwrap());
$ RUST_BACKTRACE=1 cargo run
I was able to reproduce the same crash also in image-rs 0.24.2
thread 'main' panicked at 'attempt to multiply with overflow', /home/mkatouh/compdiff-rust/targets/image/src/image/./src/codecs/pnm/decoder.rs:651:39
stack backtrace:
0: 0x55efda9a58ad - std::backtrace_rs::backtrace::libunwind::trace::h22893a5306c091b4
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x55efda9a58ad - std::backtrace_rs::backtrace::trace_unsynchronized::h29c3bc6f9e91819d
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x55efda9a58ad - std::sys_common::backtrace::_print_fmt::he497d8a0ec903793
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:66:5
3: 0x55efda9a58ad - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h9c2a9d2774d81873
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:45:22
4: 0x55efda9c404c - core::fmt::write::hba4337c43d992f49
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/fmt/mod.rs:1194:17
5: 0x55efda9a3ad1 - std::io::Write::write_fmt::heb73de6e02cfabed
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/io/mod.rs:1655:15
6: 0x55efda9a7055 - std::sys_common::backtrace::_print::h63c8b24acdd8e8ce
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:48:5
7: 0x55efda9a7055 - std::sys_common::backtrace::print::h426700d6240cdcc2
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:35:9
8: 0x55efda9a7055 - std::panicking::default_hook::{{closure}}::hc9a76eed0b18f82b
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:295:22
9: 0x55efda9a6d09 - std::panicking::default_hook::h2e88d02087fae196
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:314:9
10: 0x55efda9a75b2 - std::panicking::rust_panic_with_hook::habfdcc2e90f9fd4c
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:698:17
11: 0x55efda9a7459 - std::panicking::begin_panic_handler::{{closure}}::he054b2a83a51d2cd
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:586:13
12: 0x55efda9a5d64 - std::sys_common::backtrace::__rust_end_short_backtrace::ha48b94ab49b30915
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys_common/backtrace.rs:138:18
13: 0x55efda9a71c9 - rust_begin_unwind
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:584:5
14: 0x55efda97a5d3 - core::panicking::panic_fmt::h366d3a309ae17c94
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:143:14
15: 0x55efda97a49d - core::panicking::panic::h8705e81f284be8a5
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:48:5
16: 0x55efda97ed12 - image::codecs::pnm::decoder::PnmDecoder<R>::read_samples::h503cd02f3c24bfd7
17: 0x55efda97f3bd - <image::codecs::pnm::decoder::PnmDecoder<R> as image::image::ImageDecoder>::read_image::h1ef3586ae7e3b3c7
18: 0x55efda97d846 - image::image::decoder_to_vec::h640ebd496c64529b
19: 0x55efda982fc5 - reproduce_pnm::main::h70106e292e8903e5
20: 0x55efda97a952 - std::sys_common::backtrace::__rust_begin_short_backtrace::h3ce2386dd2c1c037
21: 0x55efda97b958 - std::rt::lang_start::{{closure}}::hbb837cc3a1b9d87f
22: 0x55efda9a04de - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::had4f69b3aefb47a8
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/ops/function.rs:259:13
23: 0x55efda9a04de - std::panicking::try::do_call::hf2ad5355fcafe775
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:492:40
24: 0x55efda9a04de - std::panicking::try::h0a63ac363423e61e
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:456:19
25: 0x55efda9a04de - std::panic::catch_unwind::h18088edcecb8693a
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panic.rs:137:14
26: 0x55efda9a04de - std::rt::lang_start_internal::{{closure}}::ha7dad166dc711761
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/rt.rs:128:48
27: 0x55efda9a04de - std::panicking::try::do_call::hda0c61bf3a57d6e6
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:492:40
28: 0x55efda9a04de - std::panicking::try::hbc940e68560040a9
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:456:19
29: 0x55efda9a04de - std::panic::catch_unwind::haed0df2aeb3fa368
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panic.rs:137:14
30: 0x55efda9a04de - std::rt::lang_start_internal::h9c06694362b5b80c
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/rt.rs:128:20
31: 0x55efda984e35 - main
32: 0x7f1f74c87083 - __libc_start_main
33: 0x55efda97a87e - _start
34: 0x0 - <unknown>
This crash instance was reproduced after fuzzing the library, by navigating into the image directory and running
./fuzz-afl/target/debug/reproduce_pnm
on the binary input:
The same error can arise by also running the same command on the following binaries : crash2.zip crash3.zip crash4.zip
I believe this is now fixed