rwcarlsen/goexif

exif.Decode() panics on empty Tiff.Dirs

joeshaw opened this issue · 1 comments

joeshaw commented

I've started running https://github.com/dvyukov/go-fuzz against goexif. One panic I've seen is:

panic: runtime error: index out of range

goroutine 1 [running]:
github.com/rwcarlsen/goexif/exif.(*parser).Parse(0x2b3f60, 0x20832e510, 0x0, 0x0)
    /var/folders/69/cstplpp51jz6f9_5m_m__3gh0000gq/T/go-fuzz-build329778221/src/github.com/rwcarlsen/goexif/exif/exif.go:147 +0x77a
github.com/rwcarlsen/goexif/exif.Decode(0x2208307a30, 0x208312080, 0x2b3d58, 0x0, 0x0)
    /var/folders/69/cstplpp51jz6f9_5m_m__3gh0000gq/T/go-fuzz-build329778221/src/github.com/rwcarlsen/goexif/exif/exif.go:287 +0xec4
github.com/joeshaw/goexif-fuzz.Fuzz(0x22084b6000, 0x1a45, 0x200000, 0x1)
    /var/folders/69/cstplpp51jz6f9_5m_m__3gh0000gq/T/go-fuzz-build329778221/src/github.com/joeshaw/goexif-fuzz/fuzz.go:10 +0x133
github.com/dvyukov/go-fuzz/go-fuzz-dep.Main(0x21c378)
    /Users/joeshaw/src/gosrc/src/github.com/dvyukov/go-fuzz/go-fuzz-dep/main.go:44 +0x13d
main.main()
    /var/folders/69/cstplpp51jz6f9_5m_m__3gh0000gq/T/go-fuzz-build329778221/src/go-fuzz-main/main.go:10 +0x2a

This is because x.Tiff.Dirs has length 0. The exact data fed in is:

"II*\x00\x00\x00\x00\x00"

I'm not sure about what the right level to fix this is. I see a few options:

  • Is it valid to generate a tiff.Tiff with len(t.Dirs) == 0? If not, an error should probably be thrown from tiff.Decode().
  • If it is valid, exif.parser.Parse() should check len(x.Tiff.Dirs) before accessing the first element and error out.
rwcarlsen commented

Fixed by #49