Debug-mode arithmetic overflow in JPEG decoding (found by fuzzer)

image-rs / jpeg-decoder

JPEG decoder written in Rust

Apache License 2.0

148 stars 88 forks source link

Debug-mode arithmetic overflow in JPEG decoding (found by fuzzer) #250

Closed Shnatsel closed 2 years ago

Shnatsel commented 2 years ago

This happens in image from git on commit 04052e64c9a94606efc8bd3d87d5f3e0f566774e

Decoding the attached file results in an arithmetic overflow, causing a panic in debug mode:

thread '<unnamed>' panicked at 'attempt to subtract with overflow', ~/.cargo/registry/src/github.com-1ecc6299db9ec823/jpeg-decoder-0.2.6/src/decoder/lossless.rs:201:15

Reproduction steps

cargo +nightly fuzz run fuzzer_script_jpeg path/to/file

The sample triggering it: underflow.jpeg

fintelia commented 2 years ago

Relevant line:

https://github.com/image-rs/jpeg-decoder/blob/beb46c0dfd5e1de00e4f7fc72822bbc6e60d4c75/src/decoder/lossless.rs#L201

micahsnyder commented 2 years ago

@fintelia I also encountered this bug. Panics are a high priority issues for my project. I just created a PR to fix this.

Though it's not very elegant, it does appear to resolve the issue though and passes the tests if tested on top of https://github.com/image-rs/jpeg-decoder/pull/259, a change needed to build the tests now that one of the dependencies requires Rust edition 2021 (v1.56.0+).