Add with overflow when decoding a malformed png image

Question

Add with overflow when decoding a malformed png image

nagisa opened this issue 8 years ago · 1 comments

thread 'main' panicked at 'attempt to add with overflow', /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:212
stack backtrace:
   1:     0x55dad0825b99 - std::sys::imp::backtrace::tracing::imp::write::hbb14611794d3841b
                        at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x55dad0827eae - std::panicking::default_hook::{{closure}}::h6ed906c7818ac88c
                        at /checkout/src/libstd/panicking.rs:351
   3:     0x55dad0827ab4 - std::panicking::default_hook::h23eeafbf7c1c05c3
                        at /checkout/src/libstd/panicking.rs:367
   4:     0x55dad082824b - std::panicking::rust_panic_with_hook::hd0067971b6d1240e
                        at /checkout/src/libstd/panicking.rs:545
   5:     0x55dad08280d4 - std::panicking::begin_panic::h1fd1f10a3de8f902
                        at /checkout/src/libstd/panicking.rs:507
   6:     0x55dad0828049 - std::panicking::begin_panic_fmt::haa043917b5d6f21b
                        at /checkout/src/libstd/panicking.rs:491
   7:     0x55dad0827fd7 - rust_begin_unwind
                        at /checkout/src/libstd/panicking.rs:467
   8:     0x55dad084d78d - core::panicking::panic_fmt::he9c7f335d160b59d
                        at /checkout/src/libcore/panicking.rs:69
   9:     0x55dad084d6c4 - core::panicking::panic::hb790668694ff6b20
                        at /checkout/src/libcore/panicking.rs:49
  10:     0x55dad07c4024 - inflate::CodeLengthReader::new::h53e5af7e8ca9c556
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:233
  11:     0x55dad08019bd - inflate::InflateStream::next_state::h28da8dd0129b2847
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:829
  12:     0x55dad081f214 - inflate::InflateStream::update::h06f6fb8898500df7
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/inflate-0.1.1/src/lib.rs:948
  13:     0x55dad07b1e92 - png::decoder::stream::StreamingDecoder::next_state::h2e2e90d52596330a
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/stream.rs:362
  14:     0x55dad07afe54 - png::decoder::stream::StreamingDecoder::update::h6616d015ee7df0da
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/stream.rs:169
  15:     0x55dad079a914 - <png::decoder::ReadDecoder<R>>::decode_next::h8bf479b2bee839dc
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:109
  16:     0x55dad0796c77 - <png::decoder::Reader<R>>::next_raw_interlaced_row::h7d6705413b0ee451
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:428
  17:     0x55dad0795cda - <png::decoder::Reader<R>>::next_interlaced_row::h873e9164629faba8
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:254
  18:     0x55dad0797d8b - <png::decoder::Reader<R>>::next_row::he4e756b17566ee6e
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:238
  19:     0x55dad07952bd - <png::decoder::Reader<R>>::next_frame::h9d9d7be827052a5f
                        at /home/nagisa/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.6.2/src/decoder/mod.rs:229
  20:     0x55dad079f5b4 - <image::png::PNGDecoder<R> as image::image::ImageDecoder>::read_image::h5ea193ed42802e94
                        at /home/nagisa/Documents/rust/image/src/png.rs:84
  21:     0x55dad079ffd0 - overallocbmp::main::ha9648ec80c314f37
                        at /home/nagisa/Documents/rust/image/examples/overallocbmp.rs:7
  22:     0x55dad082ed2a - __rust_maybe_catch_panic
                        at /checkout/src/libpanic_unwind/lib.rs:98
  23:     0x55dad0828796 - std::rt::lang_start::hb7fc7ec87b663023
                        at /checkout/src/libstd/panicking.rs:429
                        at /checkout/src/libstd/panic.rs:361
                        at /checkout/src/libstd/rt.rs:57
  24:     0x55dad07a00a2 - main
  25:     0x7f0adf9ec290 - __libc_start_main
  26:     0x55dad07939b9 - _start
  27:                0x0 - <unknown>

The base64 of png image:

iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAABGdBTUEAALGPC/xhBQAAAAZiS0dE
AP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+ECGBI3Kqq/UGsAAAAdaVRY
dENvbW1lbnQAAAAAAENyZWF0ZWQgd2l0aCBHSU1QZC5lBwAADCtJREFUSA206P/z3/OJUE5HDQoa
CgAAAA1JSERSAAAAIAAAACAIAgAAAPwY7aMAAAANSUhEAAAAAAAAAAAAUgAAACAAAAAgCAIAAAD8
GO2jAAAABGZkTUEAALGPC/xhBQAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSPULCPX1AAAAAAAAAAAA
AAAAAElNRQfhAhgSNyqqv1BrAAAAHWl0aCBHSU1QAAAAAAAAAGQuAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAiVBORw0KGgoAAAANSUhEUgAAACAAAAAg
CAIAAAD8GO2jAAAABGdBTUEAALGJUE5HDQoaCgAAAA1JSERSAAAAIAAAACAIAgAAAQYY7aMAAAAE
Z0FNQQAAsY8L/GEFAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI9fX19fX19fX19fX19fX19fX19fVZ
iVBORw0KGgoAAAANSUhEUgAAAHMAAAsTAAALEwEAmpwYAAAAB3QgAAAAIAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASU1FB+EC
GBI3Kqq/UGsAAAAdaVRYdENvbW1lbnQAAAAAAENyZWF0ZWQgd2l0aCBHSU1QAAAAAAAAAGQuAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgQAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkLgAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAIlQTkcNChoKAAAADUlIRFIAAAAgAAAAIAgD
AAAA/BjtowAAAARnQU1BAACxjwv8YQUAAAAGYktHRAD/AP8A/6C9p5MAAAAJcEj19fX19fX19fX1
9fX19fX19fX19VmJUE5HDQoaCgAAAA1JSERSAAAAcwAACxMAAAsTAQCanBgAAAAHdCAAAAAgAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMBAJqcGAAAAAd0IAAAACAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAElNRQfhAhgSNyqqv1BrAAAAHWlUWHRDb21tZW50AAAAAABDcmVhdAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAMAAA=

Example test:

extern crate image;

use image::ImageDecoder;

fn main() {
    let f = ::std::fs::File::open("inflate.png").unwrap();
    let x = image::png::PNGDecoder::new(f).read_image();
}

Must be compiled without optimisations (might also reproduce with -C debug-assertions)

Answer 1 · 2017-02-26T22:41:12.000Z

cc @pnkfelix