-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic on invalid input to jpeg_decoder::Decoder::decode #277
Comments
From the spec:
and, related:
The current code is (in lossless.rs):
In the example file, frame.precision is 8, scan.point_transform is 12. Simple underflow problem. I might suggest, given the wording of A.4: Edit: Removing the latter stuff, because I don't think that's at all what the spec was talking about. That said, I've still got a few questions about how the implementation deals with point_transform over the course of the function, but I'm going to look deeper. |
Thanks for looking into this! If you figure out a fix, please do open a PR! |
Describe the bug
Panic could be triggered when passing
jpeg_decoder::Decoder::decode
with invalid input. Panic info is shown below:thread 'main' panicked at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/decoder/lossless.rs:112:40: attempt to subtract with overflow
Full stack backtrace:
0: rust_begin_unwind
at /rustc/07688726805d5db0a4bca445a6651d09708041ea/library/std/src/panicking.rs:617:5
1: core::panicking::panic_fmt
at /rustc/07688726805d5db0a4bca445a6651d09708041ea/library/core/src/panicking.rs:67:14
2: core::panicking::panic
at /rustc/07688726805d5db0a4bca445a6651d09708041ea/library/core/src/panicking.rs:117:5
3: jpeg_decoder::decoder::lossless::<impl jpeg_decoder::decoder::Decoder>::decode_scan_lossless
at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/decoder/lossless.rs:112:40
4: jpeg_decoder::decoder::Decoder::decode_internal
at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/decoder.rs:415:46
5: jpeg_decoder::decoder::Decoder::decode::{{closure}}
at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/decoder.rs:294:36
6: jpeg_decoder::worker::WorkerScope::with
at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/worker/mod.rs:61:9
7: jpeg_decoder::decoder::Decoder::decode
at /home/test/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/jpeg-decoder-0.3.1/src/decoder.rs:294:9
8: jpeg_decoder_poc::main
at ./src/main.rs:5:11
9: core::ops::function::FnOnce::call_once
at /rustc/07688726805d5db0a4bca445a6651d09708041ea/library/core/src/ops/function.rs:250:5
Expected behavior
Not panic. It could be an error reported to the users.
Test environment:
Version:
jpeg-decoder = "0.3.1"
OS: Ubuntu 20.04, 64 bit
Target triple: x86_64-unknown-linux-gnu
Rustc version: rustc 1.73.0-nightly (076887268 2023-08-17)
To Reproduce
The PoC to reproduce the bug:
PoC input is attached:
jpeg-decode-crash.xx.zip
The text was updated successfully, but these errors were encountered: