Out-of-bounds in gif::Decoder

Question

Out-of-bounds in gif::Decoder

nagisa opened this issue 8 years ago · 6 comments

Following base64-encoded gif image causes the gif decoder to panic with OOB condition:

R0lGODdhIAAgAIABAJQnJ////ywAAAAAIOgAAHUAAAAAAAAAAAAArDsAAlGEj1GE///L7Q+j

or a shorter

R0lGODdhIAAgAIABAJQ7J////ywAR7wpSSEAAEYAADg3YQA=

Answer 1 · 2017-02-24T20:27:36.000Z

I cannot reproduce that error. It doesn’t panic but returns an error. Can you please provide the code you used to test this?

$ cargo run --example opening test.gif 
    Finished debug [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/examples/opening test.gif`
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: FormatError("malformed GIF header")', ../src/libcore/result.rs:799
note: Run with `RUST_BACKTRACE=1` for a backtrace.

Answer 2 · 2017-02-24T20:32:09.000Z

Ahh, I see. I didn’t use the base64 decoder correctly.

How do you come to this images anyway? If you used some fuzzing I would really appreciated if you would share the code.

Answer 3 · 2017-02-24T20:32:16.000Z

The code I used is:

extern crate image;

use image::ImageDecoder;

fn main() {
    let f = ::std::fs::File::open("oob.gif").unwrap();
    let x = image::gif::Decoder::new(f).read_image();
}

where sha1sum of oob.gif is 3f673b772a1e56da103e6b480ee3af7975c3c9d7 (eyeballing the base64 of the image seems to match the first example I pasted, so no mistakes copy-pasting)

Answer 4 · 2017-02-24T20:33:14.000Z

And yes, images are generated by the quite new cargo-fuzz utility we’re developing. It just happened that I had a bright idea to fuzz image crate on the way home :)

Answer 5 · 2017-02-24T20:36:08.000Z

I’m a bit disappointed that this went through, I actually let afl run for a while on the gif decoder (see https://github.com/PistonDevelopers/image-gif)…

Answer 6 · 2017-02-24T20:56:52.000Z

Closed via image-rs/image-gif@3755875