Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thread panicking in TiffReader::read_image() #2179

Open
RedPixlFox opened this issue Mar 24, 2024 · 4 comments
Open

Thread panicking in TiffReader::read_image() #2179

RedPixlFox opened this issue Mar 24, 2024 · 4 comments

Comments

@RedPixlFox
Copy link

RedPixlFox commented Mar 24, 2024
edited

image/src/codecs/tiff.rs

Line 244 in d407e36

buf.copy_from_slice(&v);

I don't know, what path this happened on, because my application iterates over all files in "C:/"

output:

(with RUST_BACKTRACE=full)

thread 'some-thread' panicked at C:\Users\MYNAME\.cargo\registry\src\index.crates.io-6f17d22bba15001f\image-0.25.0\src\codecs\tiff.rs:244:21:
source slice length (24300) does not match destination slice length (97200)
stack backtrace:
   0:     0x7ff676948252 - std::sys_common::backtrace::_print::impl$0::fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:44
   1:     0x7ff67696d92d - core::fmt::rt::Argument::fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\fmt\rt.rs:142
   2:     0x7ff67696d92d - core::fmt::write
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\fmt\mod.rs:1120
   3:     0x7ff6769437c1 - std::io::Write::write_fmt<std::sys::windows::stdio::Stderr>
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\io\mod.rs:1810
   4:     0x7ff67694807a - std::sys_common::backtrace::_print
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:47
   5:     0x7ff67694807a - std::sys_common::backtrace::print
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:34
   6:     0x7ff67694a529 - std::panicking::default_hook::closure$1
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:272
   7:     0x7ff67694a1e5 - std::panicking::default_hook
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:292
   8:     0x7ff67694aa54 - std::panicking::rust_panic_with_hook
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:779
   9:     0x7ff67694a929 - std::panicking::begin_panic_handler::closure$0
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:657
  10:     0x7ff676948b59 - std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:171
  11:     0x7ff67694a5f2 - std::panicking::begin_panic_handler
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:645
  12:     0x7ff6769c8027 - core::panicking::panic_fmt
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:72
  13:     0x7ff6769c87e4 - core::slice::impl$0::copy_from_slice::len_mismatch_fail
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\slice\mod.rs:3658
  14:     0x7ff6763d8d59 - <image::error::ImageError as core::fmt::Debug>::fmt::h5839837c718db28e
  15:     0x7ff6763f57b2 - image::image::decoder_to_vec::he011e603413437f3
  16:     0x7ff6763d6e61 - image::io::reader::Reader<R>::decode::h8caba6be98c60731
  17:     0x7ff67640fe52 - std::sys_common::backtrace::__rust_begin_short_backtrace::h2de1ef0315b52244
  18:     0x7ff6763c6377 - <&T as core::fmt::Debug>::fmt::he532799be213416c
  19:     0x7ff676957fcc - std::sys::windows::thread::impl$0::new::thread_start
                               at /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys\windows\thread.rs:58
  20:     0x7ffc0dce257d - BaseThreadInitThunk
  21:     0x7ffc0f9aaa58 - RtlUserThreadStart

code (running in 'some-thread'):

pub fn generate_thumbnail_from_image(
    path: PathBuf,
    max_x: u32,
    max_y: u32
) -> Result<image::RgbaImage, Box<dyn Error>> {
    let reader = image::io::Reader::open(&path)?;
    let dyn_image = reader.decode()?;
    let thumbnail = dyn_image.thumbnail(max_x, max_y);

    Ok(thumbnail.into_rgba8())
}
@RedPixlFox RedPixlFox mentioned this issue Mar 24, 2024
Open
@fintelia
Copy link
Contributor

I looked briefly into this and the size calculation in the tiff crate looks right to me. Clearly, it is going wrong somehow, but without the failing image I don't think this is very actionable

@RedPixlFox
Copy link
Author

But what can I do to make it not panic instantly?

@RedPixlFox
Copy link
Author

I will try to find the image tomorrow 👍🏼

@fintelia
Copy link
Contributor

I'll also add that while there has been a bunch of effort on fuzzing this crate, that work isn't complete. There are still many places where malicious or malformed input can cause an out-of-memory crash or a panic. At the moment, you may want to look into catch_unwind or some other strategy for recovering when the code panics

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fintelia @RedPixlFox