jpeg-decoder icon indicating copy to clipboard operation
jpeg-decoder copied to clipboard

Published 20 hours ago verified publisher icon image-rs

Debug-mode arithmetic overflow in JPEG decoding (found by fuzzer)

Open Shnatsel opened this issue 2 years ago • 1 comments

This happens in image from git on commit 04052e64c9a94606efc8bd3d87d5f3e0f566774e

Decoding the attached file results in an arithmetic overflow, causing a panic in debug mode:

thread '<unnamed>' panicked at 'attempt to subtract with overflow', ~/.cargo/registry/src/github.com-1ecc6299db9ec823/jpeg-decoder-0.2.6/src/decoder/lossless.rs:201:15

Reproduction steps

cargo +nightly fuzz run fuzzer_script_jpeg path/to/file

The sample triggering it: underflow.jpeg

Shnatsel avatar Jul 05 '22 12:07 Shnatsel

Relevant line:

https://github.com/image-rs/jpeg-decoder/blob/beb46c0dfd5e1de00e4f7fc72822bbc6e60d4c75/src/decoder/lossless.rs#L201

fintelia avatar Jul 08 '22 06:07 fintelia

@fintelia I also encountered this bug. Panics are a high priority issues for my project. I just created a PR to fix this.

Though it's not very elegant, it does appear to resolve the issue though and passes the tests if tested on top of https://github.com/image-rs/jpeg-decoder/pull/259, a change needed to build the tests now that one of the dependencies requires Rust edition 2021 (v1.56.0+).

micahsnyder avatar Sep 03 '22 00:09 micahsnyder