Out-of-bounds in gif::Decoder

[nagisa]

Following base64-encoded gif image causes the gif decoder to panic with OOB condition:

R0lGODdhIAAgAIABAJQnJ////ywAAAAAIOgAAHUAAAAAAAAAAAAArDsAAlGEj1GE///L7Q+j

or a shorter

R0lGODdhIAAgAIABAJQ7J////ywAR7wpSSEAAEYAADg3YQA=

[nwin]

I cannot reproduce that error. It doesn’t panic but returns an error. Can you please provide the code you used to test this?

$ cargo run --example opening test.gif 
    Finished debug [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/examples/opening test.gif`
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: FormatError("malformed GIF header")', ../src/libcore/result.rs:799
note: Run with `RUST_BACKTRACE=1` for a backtrace.

[nwin]

Ahh, I see. I didn’t use the base64 decoder correctly.

How do you come to this images anyway? If you used some fuzzing I would really appreciated if you would share the code.

[nagisa]

The code I used is:

extern crate image;

use image::ImageDecoder;

fn main() {
    let f = ::std::fs::File::open("oob.gif").unwrap();
    let x = image::gif::Decoder::new(f).read_image();
}

where sha1sum of oob.gif is 3f673b772a1e56da103e6b480ee3af7975c3c9d7 (eyeballing the base64 of the image seems to match the first example I pasted, so no mistakes copy-pasting)

[nagisa]

And yes, images are generated by the quite new cargo-fuzz utility we’re developing. It just happened that I had a bright idea to fuzz image crate on the way home :)

[nwin]

I’m a bit disappointed that this went through, I actually let afl run for a while on the gif decoder (see https://github.com/PistonDevelopers/image-gif)…

[nwin]

Closed via image-rs/image-gif@3755875