Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-of-bounds in gif::Decoder #625

Closed
nagisa opened this issue Feb 24, 2017 · 6 comments
Closed

Out-of-bounds in gif::Decoder #625

nagisa opened this issue Feb 24, 2017 · 6 comments

Comments

@nagisa
Copy link

nagisa commented Feb 24, 2017

Following base64-encoded gif image causes the gif decoder to panic with OOB condition:

R0lGODdhIAAgAIABAJQnJ////ywAAAAAIOgAAHUAAAAAAAAAAAAArDsAAlGEj1GE///L7Q+j

or a shorter

R0lGODdhIAAgAIABAJQ7J////ywAR7wpSSEAAEYAADg3YQA=
@nwin
Copy link
Contributor

nwin commented Feb 24, 2017

I cannot reproduce that error. It doesn’t panic but returns an error. Can you please provide the code you used to test this?

$ cargo run --example opening test.gif 
    Finished debug [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/examples/opening test.gif`
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: FormatError("malformed GIF header")', ../src/libcore/result.rs:799
note: Run with `RUST_BACKTRACE=1` for a backtrace.

@nwin
Copy link
Contributor

nwin commented Feb 24, 2017

Ahh, I see. I didn’t use the base64 decoder correctly.

How do you come to this images anyway? If you used some fuzzing I would really appreciated if you would share the code.

@nagisa
Copy link
Author

nagisa commented Feb 24, 2017

The code I used is:

extern crate image;

use image::ImageDecoder;

fn main() {
    let f = ::std::fs::File::open("oob.gif").unwrap();
    let x = image::gif::Decoder::new(f).read_image();
}

where sha1sum of oob.gif is 3f673b772a1e56da103e6b480ee3af7975c3c9d7 (eyeballing the base64 of the image seems to match the first example I pasted, so no mistakes copy-pasting)

@nagisa
Copy link
Author

nagisa commented Feb 24, 2017

And yes, images are generated by the quite new cargo-fuzz utility we’re developing. It just happened that I had a bright idea to fuzz image crate on the way home :)

@nwin
Copy link
Contributor

nwin commented Feb 24, 2017

I’m a bit disappointed that this went through, I actually let afl run for a while on the gif decoder (see https://github.com/PistonDevelopers/image-gif)…

@nwin
Copy link
Contributor

nwin commented Feb 24, 2017

Closed via image-rs/image-gif@3755875

@nwin nwin closed this as completed Feb 24, 2017
nwin added a commit that referenced this issue Feb 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants