search

etemesi254 / zune-image

A fast and memory efficient image library in Rust
Other
321 stars 29 forks source link

Various panics in zune-jpeg #219

Open sigaloid opened 2 months ago

sigaloid commented 2 months ago

Hi, I did some mutation-based fuzzing and found these 20 panics that occur on the latest commit (dd16f5bdc9ded64d57af3c285883049a43b8e1ee):

Testing f2a374644f9e64c0eb3cc81cdda99c7fdd1f5797
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:339:20:
attempt to multiply with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 2b1488070639567997cb0e6953f000b3867e0e54
thread 'main' panicked at crates/zune-jpeg/src/worker.rs:413:13:
assertion `left == right` failed
  left: 256
 right: 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 754f6933e294e8016d0c8764783bbb90b2e23515
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 64
 right: 32
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 
[crashes.zip](https://github.com/user-attachments/files/16326257/crashes.zip)
15daf076cac75fc71d88b5b1475da54a56c336a9
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:525:56:
range end index 128 out of range for slice of length 64
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 30e20103ed9b2acbad03aa54e91344df6a256739
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 40fd8bf0a55bd09915973099ae7df3785d590077
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing f69e5129fcba4f79dc03570f98ab0fbebae1e1d2
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing fb5c7664dbc9117c998c2f6e76c392e6cc481048
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 9e9b55d900bf047d5cf3edecc0e62250828f7663
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:322:21:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing ca049ac4657a1ff2cb8a5f5ccdc774391d76679f
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:564:37:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing de2b0aacb3431b6425eb292bae7a1991bc99370e
thread 'main' panicked at crates/zune-jpeg/src/worker.rs:413:13:
assertion `left == right` failed
  left: 1024
 right: 512
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing a9909f747e700fcd01431330769ae9faba7ac420
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 80
 right: 40
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing c8a925e39b0ad2589e588a4dbd51f234b3299e65
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 482103221bc18230f3a41b364da02bb298770806
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 64
 right: 32
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 4383a0c6805d99c4aa7bcc48c07dc719ff72cba4
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:564:37:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 8bb50809d589e6ec4b555ce9cf69b27d8b36c528
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 5316ef2d8fa08ce11477f5008de84f488ec6740b
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 430fcba35c5e3db14ff0aafe87ddb81a6c5bdd8b
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing 7e8ef95a03083f33c82be7c19fc9bbad3f1d9a4c
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:525:56:
range end index 128 out of range for slice of length 64
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Testing f0d5fdfaa0f43174a7e6ce64761606538c2f7e65
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:264:26:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Attached are the inputs that crash with the following code: 

        use zune_jpeg::zune_core::bytestream::ZCursor;
        let data = ZCursor::new(data);
        let mut decoder = zune_jpeg::JpegDecoder::new(data);
        let _ = decoder.decode();

crashes.zip

sigaloid commented 2 months ago

Some of these are duplicates of each other and notably zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58 is a dupe from #218 but I included them here for completeness - the others are still valid crashes.

etemesi254 commented 2 months ago

Hi, thank you for this, will look into it.

Another thing that would be helpful is to fuzz the other formats, jpeg is getting too much love :)

sigaloid commented 2 months ago

I did but didn't find anything yet :) I'd bet it's partially because there's more samples in the jpeg corpus than for other file formats

Update: I stand corrected :p a few found in zune-png, will create a new issue when I get the chance!