image icon indicating copy to clipboard operation
image copied to clipboard
verified publisher icon image-rs

WebP decoding panics on libwebp test data: index out of bounds in codecs/webp/lossless_transform.rs:45:36

Open Shnatsel opened this issue 3 years ago • 1 comments

This happens in image from git 04052e64c9a94606efc8bd3d87d5f3e0f566774e (latest commit as of this writing)

Expected

No panics

Actual behaviour

A panic:

thread '<unnamed>' panicked at 'index out of bounds: the len is 390 but the index is 400', image/./src/codecs/webp/lossless_transform.rs:45:36
stack backtrace:
   0: rust_begin_unwind
             at /rustc/f2d93935ffba3ab9d7ccb5300771a2d29b4c8bf3/library/std/src/panicking.rs:584:5
   1: core::panicking::panic_fmt
             at /rustc/f2d93935ffba3ab9d7ccb5300771a2d29b4c8bf3/library/core/src/panicking.rs:142:14
   2: core::panicking::panic_bounds_check
             at /rustc/f2d93935ffba3ab9d7ccb5300771a2d29b4c8bf3/library/core/src/panicking.rs:84:5
   3: image::codecs::webp::lossless_transform::TransformType::apply_transform
   4: image::codecs::webp::lossless::LosslessDecoder<R>::decode_frame
   5: image::codecs::webp::decoder::WebPDecoder<R>::read_frame
   6: image::codecs::webp::decoder::WebPDecoder<R>::new
   7: image::io::free_functions::load_decoder
   8: rust_fuzzer_test_input
   9: __rust_try
  10: LLVMFuzzerTestOneInput
  11: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
  12: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
  13: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
  14: main
  15: __libc_start_main
  16: _start
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Reproduction steps

I have copied the webp images from https://github.com/dvyukov/go-fuzz-corpus/tree/master/webp/corpus and https://chromium.googlesource.com/webm/libwebp-test-data/ to fuzz/corpus/fuzzer_script_webp and ran cargo +nightly fuzz run fuzzer_script_webp.

The fuzzer crashed immediately, in the stage of running the provided samples through the decoder.

The file triggering this panic is attached: panic.webp.gz

But I am sure there are many more to come if you seed the fuzzer with this corpus and run it.

Shnatsel avatar Jul 03 '22 23:07 Shnatsel

There is also an official AFL corpus for WebP that will help kickstart future fuzzing efforts: https://lcamtuf.coredump.cx/afl/demo/

Shnatsel avatar Jul 04 '22 18:07 Shnatsel

I'll fix this!

fisherdarling avatar Oct 11 '22 08:10 fisherdarling