Below is an example program that triggers an integer overflow. Simply calling imageproc::contrast::adaptive_threshold with specific image files triggers this vulnerability.
PoC
You can test both vulnerabilities by following the guide below.
Code:
use imageproc::contrast::adaptive_threshold;
use std::fs::read;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let file_path = "png_name";
let buffer = read(file_path)?;
let img = image::load_from_memory(&buffer)?;
let rgb_image = img.to_luma8();
let _ = adaptive_threshold(&rgb_image, 10);
println!("Done.");
Ok(())
}
Hi, I've using libfuzzer to fuzz this crate. And I've found 2 API may panic due to arithmetic overflow.
Issue Description
We are getting crashes in
adaptive_threshold
function. The following code blocks triggers integer overflow.https://github.com/image-rs/imageproc/blob/2bb334712bc39c1f20ad66e4f530208466d15612/src/integral_image.rs#L142 https://github.com/image-rs/imageproc/blob/2bb334712bc39c1f20ad66e4f530208466d15612/src/integral_image.rs#L174
Reproduction
Below is an example program that triggers an integer overflow. Simply calling
imageproc::contrast::adaptive_threshold
with specific image files triggers this vulnerability.PoC
You can test both vulnerabilities by following the guide below.
Code:
first#174.png -> This input will trigger this vulnerable code block: https://github.com/image-rs/imageproc/blob/2bb334712bc39c1f20ad66e4f530208466d15612/src/integral_image.rs#L174
second#142.png -> This input will trigger this vulnerable code block: https://github.com/image-rs/imageproc/blob/2bb334712bc39c1f20ad66e4f530208466d15612/src/integral_image.rs#L142