Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various panics in zune-jpeg #219

Open
sigaloid opened this issue Jul 21, 2024 · 3 comments
Open

Various panics in zune-jpeg #219

sigaloid opened this issue Jul 21, 2024 · 3 comments

Comments

@sigaloid
Copy link

Hi, I did some mutation-based fuzzing and found these 20 panics that occur on the latest commit (dd16f5b):

Testing f2a374644f9e64c0eb3cc81cdda99c7fdd1f5797
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:339:20:
attempt to multiply with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 2b1488070639567997cb0e6953f000b3867e0e54
thread 'main' panicked at crates/zune-jpeg/src/worker.rs:413:13:
assertion `left == right` failed
  left: 256
 right: 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 754f6933e294e8016d0c8764783bbb90b2e23515
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 64
 right: 32
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 
[crashes.zip](https://github.com/user-attachments/files/16326257/crashes.zip)
15daf076cac75fc71d88b5b1475da54a56c336a9
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:525:56:
range end index 128 out of range for slice of length 64
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 30e20103ed9b2acbad03aa54e91344df6a256739
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 40fd8bf0a55bd09915973099ae7df3785d590077
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing f69e5129fcba4f79dc03570f98ab0fbebae1e1d2
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing fb5c7664dbc9117c998c2f6e76c392e6cc481048
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 9e9b55d900bf047d5cf3edecc0e62250828f7663
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:322:21:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing ca049ac4657a1ff2cb8a5f5ccdc774391d76679f
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:564:37:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing de2b0aacb3431b6425eb292bae7a1991bc99370e
thread 'main' panicked at crates/zune-jpeg/src/worker.rs:413:13:
assertion `left == right` failed
  left: 1024
 right: 512
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing a9909f747e700fcd01431330769ae9faba7ac420
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 80
 right: 40
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing c8a925e39b0ad2589e588a4dbd51f234b3299e65
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 482103221bc18230f3a41b364da02bb298770806
thread 'main' panicked at crates/zune-jpeg/src/upsampler/scalar.rs:59:5:
assertion `left == right` failed
  left: 64
 right: 32
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 4383a0c6805d99c4aa7bcc48c07dc719ff72cba4
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/bitstream.rs:564:37:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 8bb50809d589e6ec4b555ce9cf69b27d8b36c528
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 5316ef2d8fa08ce11477f5008de84f488ec6740b
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 128 but the index is 128
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 430fcba35c5e3db14ff0aafe87ddb81a6c5bdd8b
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58:
index out of bounds: the len is 16512 but the index is 16640
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing 7e8ef95a03083f33c82be7c19fc9bbad3f1d9a4c
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:525:56:
range end index 128 out of range for slice of length 64
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace



Testing f0d5fdfaa0f43174a7e6ce64761606538c2f7e65
thread 'main' panicked at /home/mds/zune-image/crates/zune-jpeg/src/mcu_prog.rs:264:26:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Attached are the inputs that crash with the following code:

        use zune_jpeg::zune_core::bytestream::ZCursor;
        let data = ZCursor::new(data);
        let mut decoder = zune_jpeg::JpegDecoder::new(data);
        let _ = decoder.decode();

crashes.zip
@sigaloid
Copy link
Author

Some of these are duplicates of each other and notably zune-image/crates/zune-jpeg/src/mcu_prog.rs:391:58 is a dupe from #218 but I included them here for completeness - the others are still valid crashes.

@etemesi254
Copy link
Owner

Hi, thank you for this, will look into it.

Another thing that would be helpful is to fuzz the other formats, jpeg is getting too much love :)

@sigaloid
Copy link
Author

sigaloid commented Jul 23, 2024
edited
Loading

I did but didn't find anything yet :) I'd bet it's partially because there's more samples in the jpeg corpus than for other file formats

Update: I stand corrected :p a few found in zune-png, will create a new issue when I get the chance!

@lysender lysender mentioned this issue Aug 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@etemesi254 @sigaloid