Thread panicking in TiffReader::read_image()

[malteki]

https://github.com/image-rs/image/blob/d407e366e7c080d3757f83c4e120be7f9444b8e1/src/codecs/tiff.rs#L244

I don't know, what path this happened on, because my application iterates over all files in "C:/"

output:

(with RUST_BACKTRACE=full)

thread 'some-thread' panicked at C:\Users\MYNAME\.cargo\registry\src\index.crates.io-6f17d22bba15001f\image-0.25.0\src\codecs\tiff.rs:244:21:
source slice length (24300) does not match destination slice length (97200)
stack backtrace:
   0:     0x7ff676948252 - std::sys_common::backtrace::_print::impl$0::fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:44
   1:     0x7ff67696d92d - core::fmt::rt::Argument::fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\fmt\rt.rs:142
   2:     0x7ff67696d92d - core::fmt::write
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\fmt\mod.rs:1120
   3:     0x7ff6769437c1 - std::io::Write::write_fmt<std::sys::windows::stdio::Stderr>
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\io\mod.rs:1810
   4:     0x7ff67694807a - std::sys_common::backtrace::_print
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:47
   5:     0x7ff67694807a - std::sys_common::backtrace::print
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:34
   6:     0x7ff67694a529 - std::panicking::default_hook::closure$1
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:272
   7:     0x7ff67694a1e5 - std::panicking::default_hook
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:292
   8:     0x7ff67694aa54 - std::panicking::rust_panic_with_hook
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:779
   9:     0x7ff67694a929 - std::panicking::begin_panic_handler::closure$0
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:657
  10:     0x7ff676948b59 - std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:171
  11:     0x7ff67694a5f2 - std::panicking::begin_panic_handler
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:645
  12:     0x7ff6769c8027 - core::panicking::panic_fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:72
  13:     0x7ff6769c87e4 - core::slice::impl$0::copy_from_slice::len_mismatch_fail
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\slice\mod.rs:3658
  14:     0x7ff6763d8d59 - <image::error::ImageError as core::fmt::Debug>::fmt::h5839837c718db28e
  15:     0x7ff6763f57b2 - image::image::decoder_to_vec::he011e603413437f3
  16:     0x7ff6763d6e61 - image::io::reader::Reader<R>::decode::h8caba6be98c60731
  17:     0x7ff67640fe52 - std::sys_common::backtrace::__rust_begin_short_backtrace::h2de1ef0315b52244
  18:     0x7ff6763c6377 - <&T as core::fmt::Debug>::fmt::he532799be213416c
  19:     0x7ff676957fcc - std::sys::windows::thread::impl$0::new::thread_start
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys\windows\thread.rs:58
  20:     0x7ffc0dce257d - BaseThreadInitThunk
  21:     0x7ffc0f9aaa58 - RtlUserThreadStart

code (running in 'some-thread'):

pub fn generate_thumbnail_from_image(
    path: PathBuf,
    max_x: u32,
    max_y: u32
) -> Result<image::RgbaImage, Box<dyn Error>> {
    let reader = image::io::Reader::open(&path)?;
    let dyn_image = reader.decode()?;
    let thumbnail = dyn_image.thumbnail(max_x, max_y);

    Ok(thumbnail.into_rgba8())
}

[fintelia]

I looked briefly into this and the size calculation in the tiff crate looks right to me. Clearly, it is going wrong somehow, but without the failing image I don't think this is very actionable

[malteki]

But what can I do to make it not panic instantly?

[malteki]

I will try to find the image tomorrow 👍🏼

[fintelia]

I'll also add that while there has been a bunch of effort on fuzzing this crate, that work isn't complete. There are still many places where malicious or malformed input can cause an out-of-memory crash or a panic. At the moment, you may want to look into catch_unwind or some other strategy for recovering when the code panics

[mespencer]

Any updates on this? I'm running into it as well. Here is a tiff that causes the issue for me (had to zip it as Github doesn't allow TIFF upload for some reason).

[fintelia]

The output from tiffinfo:

=== TIFF directory 0 ===
TIFF Directory at offset 0x8 (8)
  Image Width: 2973 Image Length: 2770
  Bits/Sample: 8
  Sample Format: unsigned integer
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Samples/Pixel: 3
  Rows/Strip: 2
  Planar Configuration: separate image planes
  Tag 33550: 0.000003,0.000003,0.000000
  Tag 33922: 0.000000,0.000000,0.000000,-68.909284,-22.153031,0.000000
  Tag 34735: 1,1,0,7,1024,0,1,2,1025,0,1,1,2048,0,1,4326,2049,34737,7,0,2054,0,1,9102,2057,34736,1,1,2059,34736,1,0
  Tag 34736: 298.257224,6378137.000000
  Tag 34737: WGS 84|
  GDAL Metadata: <GDALMetadata>
  <Item name="interleave" domain="rio_creation_kwds">band</Item>
  <Item name="tiled" domain="rio_creation_kwds">False</Item>
</GDALMetadata>

  GDAL NoDataValue: 0

Looks like we're probably not handling tiled planar images properly