image
image copied to clipboard
image-rs
Creating 0 width/height size images, should be forbidden
Recently, I noticed that the latest version of image-rs started crashing with the following message:
thread '<unnamed>' (9263) panicked at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/image-0.25.8/src/images/dynimage.rs:1500:38:
Image index (0, 1) out of bounds (0, 197379)
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/f04e3dfc87d7e2b6ad53e7a52253812cd62eba50/library/std/src/panicking.rs:698:5
1: core::panicking::panic_fmt
at /rustc/f04e3dfc87d7e2b6ad53e7a52253812cd62eba50/library/core/src/panicking.rs:80:14
2: get_pixel<image::color::Rgba<u16>, alloc::vec::Vec<u16, alloc::alloc::Global>>
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/image-0.25.8/src/images/buffer.rs:778:21
3: get_pixel
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/image-0.25.8/src/images/dynimage.rs:1500:38
4: next<image::images::dynimage::DynamicImage>
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/image-0.25.8/src/images/generic_image.rs:165:36
5: fold<image::images::generic_image::Pixels<image::images::dynimage::DynamicImage>, (), core::iter::traits::iterator::Iterator::for_each::call::{closure_env#0}<(u32, u32, image::color::Rgba<u8>), image_hasher::traits::{impl#6}::foreach_pixel8::{closure_env#0}<image_hasher::alg::blockhash::blockhash_slow::{closure_env#0}<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>>>>
at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:2602:34
6: for_each<image::images::generic_image::Pixels<image::images::dynimage::DynamicImage>, image_hasher::traits::{impl#6}::foreach_pixel8::{closure_env#0}<image_hasher::alg::blockhash::blockhash_slow::{closure_env#0}<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>>>
at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:828:14
7: foreach_pixel8<image_hasher::alg::blockhash::blockhash_slow::{closure_env#0}<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>>
at /home/runner/.cargo/git/checkouts/img_hash-06abe7a1dc72f2d8/ba9aebd/src/traits.rs:274:14
8: blockhash_slow<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>
at /home/runner/.cargo/git/checkouts/img_hash-06abe7a1dc72f2d8/ba9aebd/src/alg/blockhash.rs:90:9
9: blockhash<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>
at /home/runner/.cargo/git/checkouts/img_hash-06abe7a1dc72f2d8/ba9aebd/src/alg/blockhash.rs:31:9
10: hash_image<image::images::dynimage::DynamicImage, alloc::boxed::Box<[u8], alloc::alloc::Global>>
at /home/runner/.cargo/git/checkouts/img_hash-06abe7a1dc72f2d8/ba9aebd/src/alg/mod.rs:125:34
11: hash_image<alloc::boxed::Box<[u8], alloc::alloc::Global>, image::images::dynimage::DynamicImage>
at /home/runner/.cargo/git/checkouts/img_hash-06abe7a1dc72f2d8/ba9aebd/src/lib.rs:365:34
12: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/image_hasher.rs:41:28
13: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:276:60
14: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:62:9
15: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:590:40
16: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:553:19
17: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:359:14
18: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:60:22
19: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerLoop.cpp:619:15
20: _ZN6fuzzer6Fuzzer6RunOneEPKhmbPNS_9InputInfoEbPb
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerLoop.cpp:516:22
21: _ZN6fuzzer6Fuzzer16MutateAndTestOneEv
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerLoop.cpp:765:25
22: _ZN6fuzzer6Fuzzer4LoopERSt6vectorINS_9SizedFileESaIS2_EE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerLoop.cpp:910:21
23: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerDriver.cpp:915:10
24: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/libfuzzer/FuzzerMain.cpp:20:30
25: <unknown>
26: __libc_start_main
27: _start
I tried to track down the issue in the img_hash repository, but I haven’t yet found the root cause. However, I did notice that the loaded image has a size of (0, 197379), which seems odd, how can an image with zero width even exist?
Yes of course that is possible. Several formats allow independent definitions of width and height even if their product is zero. The codecs etc. generally preserve that detail. And you can provide any mix in the new constructors for ImageBuffer, too.
