Decompression failure with miniz and rust_backend (but not libz)

[fintelia]

I get a segmentation fault when I use the following code (relying on the zip crate) to decompress this file:

let mut archive = zip::ZipArchive::new(File::open("clouds1.zip").unwrap()).unwrap();
let mut f = archive.by_index(2).unwrap();
let _ = f.read_to_end(&mut Vec::new());

However, simply enabling the zlib feature on flate2 resolves it:

flate2 = { version = "1.0.1", features = ["zlib"], default-features = false }

Full output:

$ RUST_BACKTRACE=1 cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `target/debug/zip-test`
thread 'main' panicked at 'index 5696 out of range for slice of length 5694', /checkout/src/libcore/slice/mod.rs:745:4
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::print
             at /checkout/src/libstd/sys_common/backtrace.rs:68
             at /checkout/src/libstd/sys_common/backtrace.rs:57
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/panicking.rs:381
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:397
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:577
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:538
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:522
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:498
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:71
   9: core::slice::slice_index_len_fail
             at /checkout/src/libcore/slice/mod.rs:745
  10: <core::ops::range::Range<usize> as core::slice::SliceIndex<[T]>>::index_mut
             at /checkout/src/libcore/slice/mod.rs:888
  11: core::slice::<impl core::ops::index::IndexMut<I> for [T]>::index_mut
             at /checkout/src/libcore/slice/mod.rs:738
  12: miniz_oxide::inflate::core::decompress_fast
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide-0.1.1/src/inflate/core.rs:916
  13: miniz_oxide::inflate::core::decompress_inner
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide-0.1.1/src/inflate/core.rs:1327
  14: miniz_oxide::inflate::core::decompress
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide-0.1.1/src/inflate/core.rs:983
  15: miniz_oxide_c_api::lib_oxide::mz_inflate_oxide
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide_c_api-0.1.1/src/lib_oxide.rs:572
  16: miniz_oxide_c_api::mz_inflate::{{closure}}
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide_c_api-0.1.1/src/lib.rs:106
  17: core::ops::function::FnOnce::call_once
             at /checkout/src/libcore/ops/function.rs:223
  18: <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /checkout/src/libstd/panic.rs:300
  19: std::panicking::try::do_call
             at /checkout/src/libstd/panicking.rs:480
  20: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:101
  21: std::panicking::try
             at /checkout/src/libstd/panicking.rs:459
  22: std::panic::catch_unwind
             at /checkout/src/libstd/panic.rs:365
  23: mz_inflate
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/miniz_oxide_c_api-0.1.1/src/lib.rs:104
  24: flate2::mem::Decompress::decompress
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/flate2-1.0.1/src/mem.rs:368
  25: <flate2::mem::Decompress as flate2::zio::Ops>::run
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/flate2-1.0.1/src/zio.rs:44
  26: flate2::zio::read
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/flate2-1.0.1/src/zio.rs:102
  27: <flate2::deflate::bufread::DeflateDecoder<R> as std::io::Read>::read
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/flate2-1.0.1/src/deflate/bufread.rs:247
  28: <flate2::deflate::read::DeflateDecoder<R> as std::io::Read>::read
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/flate2-1.0.1/src/deflate/read.rs:246
  29: <zip::crc32::Crc32Reader<R> as std::io::Read>::read
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/zip-0.2.7/src/crc32.rs:96
  30: <zip::read::ZipFile<'a> as std::io::Read>::read
             at /home/jonathan/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/zip-0.2.7/src/read.rs:452
  31: std::io::read_to_end
             at /checkout/src/libstd/io/mod.rs:380
  32: std::io::Read::read_to_end
             at /checkout/src/libstd/io/mod.rs:600
  33: zip_test::main
             at src/main.rs:12
  34: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:101
  35: std::rt::lang_start
             at /checkout/src/libstd/panicking.rs:459
             at /checkout/src/libstd/rt.rs:58
  36: main
  37: __libc_start_main
  38: _start
FATAL ERROR: Caught panic!
Segmentation fault (core dumped)

[oyvindln]

In the case of miniz_oxide there seems to be a bug with decompression somewhere which is causing it to try to output a match without having space for it, will investigate this. Not sure what causes the panic to result in a segfault though (maybe due to a panic being carried through an extern C function?

[oyvindln]

This seems to be strictly a bug in miniz_oxide, seems to work fine if I force an older version of the zip crate that doesn't use the rust backend by default.

[oyvindln]

This should be fixed in the latest version of miniz_oxide , just waiting for @Frommi to publish a new version on crates.io.

[oyvindln]

Still don't know why a panic in miniz_oxide results in a segmentation fault here in jemalloc though, maybe it's due to the compressor being allocated . It happens with out of bounds and overflow panics, but not if I trigger an explicit panic. Maybe it has something to do with the state being allocated using libc.
EDIT: Changing it to use box seems to just move the segfault here instead. Going to open an issue in miniz_oxide about this.

[alexcrichton]

I think this has since been sorted out as either being a bug elsewhere or not in this crate, so closing.