Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various panics in zune-png #221

Open
sigaloid opened this issue Jul 23, 2024 · 2 comments
Open

Various panics in zune-png #221

sigaloid opened this issue Jul 23, 2024 · 2 comments

Comments

@sigaloid
Copy link

Hi, I did some mutation-based fuzzing again but on zune-png and found more panics.

Testing 01a9065e5558450bb9ca25f1bb6b63beb1497429.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 2bc42e5b383c4993bc3b6430184999c4706d17f9.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 2dded3c25354fc33e319060dd0b8cd03ef2bf0b9.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:519:56:
range start index 4544 out of range for slice of length 4542
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 2e2d013ae03383cd54894f92944d2f2a0dbcd540.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:519:56:
range start index 179 out of range for slice of length 175
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 02e7afd1c44e54905fa5fd317974983c881b214a.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 3ee00833b940ba89956d23dbaf334dd08da6f376.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 4a7c56ac131e1e4a4003c8c4573e2c22ee680535.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:519:56:
range start index 179 out of range for slice of length 177
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 5a169feb55e64decd53b2fd35f0fb0c017028c24.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 4804 out of range for slice of length 600
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 5c6ec2f315cf8109031cb1f118af659bc1a47f36.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 5dcac9cf22ff28ffd07a39eb2738435ba786b992.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 6b72b394e426abdd3b894f1ab9a9102009b4d3f2.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 6f2334cb56bae7874ec856736ab30e755e91a1f2.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7b53bb8285cc70a126281cd991bef5101c823b48.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7ce342500e1405f3e429379dc7a59ae0b9fe4e40.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7d4b3dc5f8ec7f1f6e40b36a75cefe7c1c70a4d1.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7e1acedc6f0e576074a1781cbf96b09385b87eab.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 45700 out of range for slice of length 40000
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7fc08bc7c04c44ff4899096388a9a3dc2cc4570c.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 9c2540272c6cd35fa6992e2f89e00525c606978f.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 22f8c06b80de89f0e7c214e0e15cd0f760dec476.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 23321 out of range for slice of length 22500
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 29e8f657f364222e3f8217035da9348b522921b9.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 36ee4e78ff17b44022be999d149518664b62ed40.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:519:56:
range start index 179 out of range for slice of length 175
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 051f108e8eab1e84ba18269d9a37a01652e369ce.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 19204 out of range for slice of length 17600
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 069ee5d9873c41d0fee144e97702115dc7a0301b.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 76dc3700e9bffb521af196d3de9eb1cfecdd7d1f.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 184323 out of range for slice of length 30000
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 78d89b6bce34bda3e8696496fae126bc18f88335.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 45188 out of range for slice of length 39600
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 80d9991980e3c4a6ed48140b73d751aa98460ead.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 90efb0f1f42cc7bb2b9c35611bc9c194675cbf35.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 766bac5b80f4ecce7d202ef9b817c0df2d7ce03c.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 45572 out of range for slice of length 40000
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 862e745cdc17abbc17c4b03947c058ef8cd1ea44.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 1145d52014c93a85ed3e410201e602f6d4ea403c.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 2999cb3d52ccb7d5a62b30ff5e918de19217f878.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 5768a54b04086fd1c5f9c1af4b3ff6e8536821f3.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 7589eb51445f9f089658bb07ab3ecf9f48791f90.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 8991e4a0c18d4cec3e4097daf26623d9bbd18cb1.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 2139364b62c710fec99fdc67cd99ac57de5749ee.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 184323 out of range for slice of length 30000
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing 948633673a35fcaf8e7642f084e3e661327304e9.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing a29186c4369ede2838c529b8e354ffb32428f752.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing ada375a0a712941829659315a1f1f6327b08ebc0.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 148100 out of range for slice of length 139944
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing b4ddab9f83fa1ac3c70d9cce02c312a76c87d14d.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing bc7f2c0cb08ed28837bda5bf6594576f17fd7898.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing ce43f470465a1e5149a0e8f586a4a3323231c5a1.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing d0f0e40d3ee50da2a2fb8e5f54917c33843609ca.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing d4e1b0662bb410c7f0bc377fa1b9d61f0c4dba20.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 23321 out of range for slice of length 22500
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing d8a2130df82ae4f4c4f08cdf02030f99372470cb.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:519:56:
range start index 179 out of range for slice of length 175
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing d19a03489b017259459109b79307a476f40fbea1.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing d514e9236d3a3b4136bd7d5d0b8f1b05329cd5aa.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing de792af39d7b41dbd6af6875a56576a115f0cbff.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing dec3d00bbb8a375288341225d0e84014b3d8998a.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing e5ba4dcd3318b5f3a2a12ddf533aabfc7978bed8.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing f0be1d8d59f919fe1a79a0fc076b243f1aadfc2e.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing fcdc43e8ec14c35b02c881286540d915b06974be.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/decoder.rs:816:28:
range end index 45572 out of range for slice of length 39200
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


Testing fe882e76c757ec2b1fa88c2a1e0a707e648326e6.crash
thread 'main' panicked at /home/mattop/zune-image/crates/zune-png/src/headers/readers.rs:517:30:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Attached are the inputs that crash with the following code:

        use zune_core::bytestream::ZCursor;
        let opts = zune_core::options::DecoderOptions::new_fast();

        let data = ZCursor::new(data);
        let mut decoder = zune_png::PngDecoder::new_with_options(data, opts);
        let _ = decoder.decode();

zune-png-crash-files.zip
etemesi254 added a commit that referenced this issue Jul 26, 2024
@etemesi254
png/decoder: Fix underflow error and handle and choose safer way to t…
5b1d147 
…ransfer interlace.

Fixes crashes in #221
@etemesi254
Copy link
Owner

Please confirm that the changes fix the bugs identified (latest commit)

@sigaloid
Copy link
Author

One crash persists - these files give the below error.

01a9065e5558450bb9ca25f1bb6b63beb1497429.crash
02e7afd1c44e54905fa5fd317974983c881b214a.crash
5dcac9cf22ff28ffd07a39eb2738435ba786b992.crash
7b53bb8285cc70a126281cd991bef5101c823b48.crash
862e745cdc17abbc17c4b03947c058ef8cd1ea44.crash
1145d52014c93a85ed3e410201e602f6d4ea403c.crash
ce43f470465a1e5149a0e8f586a4a3323231c5a1.crash

thread 'main' panicked at zune-image/crates/zune-png/src/decoder.rs:635:50:
called `Option::unwrap()` on a `None` value

etemesi254 added a commit that referenced this issue Jul 27, 2024
@etemesi254
png/decoder: Don't panic on overflow in calculation and inform the user.
7fee844 
Fixes the remaining crashes in #221
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@etemesi254 @sigaloid