DoS: Crash when loading crafted images
Opened this issue · 0 comments
evanrichter commented
I set up some simple fuzzing for sn0int in my fork, targeting image loading, and found a few issues you may find security relevant.
crash-16* and oom-47* cause allocation failure which immediately terminates the process, while crash-32* is an integer overflow. These issues should be fixed by the latest image crate version, so hopefully a dependency upgrade is simple.
oom-96* seems to be the same root cause as image-rs/image#1748 with mitigations added in this merge: image-rs/image-png#353, but I think sn0int will need to use the Limits api for that to take effect.
Stacktrace: oom-47988b9562c06a826c5503b6f65bc27a93f9cc62
==541042== ERROR: libFuzzer: out-of-memory (malloc(13083149316))
#17 0x557368c13063 in image::image::decoder_to_vec::h7cd41838256519f3 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/image.rs:490:19
#18 0x557368ca2bf2 in image::dynimage::decoder_to_image::h75353bc00306555d /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:1117:23
#19 0x557368c07cac in image::dynimage::DynamicImage::from_decoder::hc2a723107ae85155 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:194:9
#20 0x557368c07cac in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:67:36
#21 0x557369186442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
#22 0x557369186442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
#23 0x5573684218cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:8:13
Stacktrace: crash-16e09653a6ced483db6215e4a922a061b580846d
==550165==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7544fa0000 bytes
#7 0x560d2c1dcc4f in alloc::vec::from_elem::hbf6ab617103d0739 /rustc/9067d5277d10f0f32a49ec9c125a33828e26a32b/library/alloc/src/vec/mod.rs:2457:5
#8 0x560d2c1dcc4f in image::image::decoder_to_vec::h62f36f795519b5f5 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/image.rs:490:19
#9 0x560d2c279014 in image::dynimage::decoder_to_image::hc52467439a01cf50 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:1112:23
#10 0x560d2c1d380f in image::dynimage::DynamicImage::from_decoder::h6775414ccbd6e795 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/dynimage.rs:194:9
#11 0x560d2c1d380f in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:79:36
#12 0x560d2c752442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
#13 0x560d2c752442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
#14 0x560d2b9ed8cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:11:13
Stacktrace: crash-32aed9132fadd27014d0d5f43ae9376f9b3f9cd7
thread '<unnamed>' panicked at 'attempt to add with overflow', /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:114:25
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==550494== ERROR: libFuzzer: deadly signal
#17 0x56256aacf0da in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::read_vp8_header::h77b76337098a5ab0 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:114:25
#18 0x56256aad065a in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::read_metadata::h65b39a062aa3a0c6 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:138:23
#19 0x56256aad065a in image::codecs::webp::decoder::WebPDecoder$LT$R$GT$::new::hbf1af4ab5a6d4d10 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/webp/decoder.rs:70:9
#20 0x56256aa46b80 in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:71:64
#21 0x56256afc6442 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:109:17
#22 0x56256afc6442 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:109:17
#23 0x56256a2618cc in rust_fuzzer_test_input sn0int/sn0int-std/fuzz/fuzz_targets/image_load.rs:11:13
Stacktrace: oom-9642df99e8a487afa7c072fc46aca9a64ed13707
==568277== ERROR: libFuzzer: out-of-memory (malloc(3221291008))
#15 0x563ce7fd89fc in alloc::vec::Vec$LT$T$C$A$GT$::resize::h011ee8981ffcda1b /rustc/9067d5277d10f0f32a49ec9c125a33828e26a32b/library/alloc/src/vec/mod.rs:2255:13
#16 0x563ce7fd89fc in png::decoder::Reader$LT$R$GT$::allocate_out_buf::hf5e356b5ab2f9e6d /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:654:9
#17 0x563ce7fdf989 in png::decoder::Reader$LT$R$GT$::init::he778edd779410d22 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:344:9
#18 0x563ce7fe2bea in png::decoder::Decoder$LT$R$GT$::read_info::h5b0c1fa661cb8331 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/png-0.16.8/src/decoder/mod.rs:118:9
#19 0x563ce854f9f6 in image::codecs::png::PngDecoder$LT$R$GT$::new::haba444bfcb43be3c /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/codecs/png.rs:131:31
#20 0x563ce850091b in image::io::free_functions::load::hfb63e77f4780b588 /home/evan/.cargo/registry/src/github.com-1ecc6299db9ec823/image-0.23.14/./src/io/free_functions.rs:65:63
#21 0x563ce8a80a72 in image::dynimage::load_from_memory_with_format::h803ad8ee200dbbfa sn0int/sn0int-std/src/gfx/mod.rs:108:17
#22 0x563ce8a80a72 in sn0int_std::gfx::load::h5df31f821b037c62 sn0int/sn0int-std/src/gfx/mod.rs:108:17
#23 0x563ce7d1bcab in rust_fuzzer_test_input