From 393a1832884957c16ef3a554b2af8274caeabc3b Mon Sep 17 00:00:00 2001 From: Ulf Nilsson Date: Sat, 18 Mar 2017 22:20:40 +0100 Subject: [PATCH] Fix a possible integer overflow in derive_huffman_codes --- src/huffman.rs | 6 +++--- tests/crashtest/images/README.md | 1 + .../images/derive-huffman-codes-overflow.jpg | Bin 0 -> 6354 bytes 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 tests/crashtest/images/derive-huffman-codes-overflow.jpg diff --git a/src/huffman.rs b/src/huffman.rs index f43bd27d..d9d3bc67 100644 --- a/src/huffman.rs +++ b/src/huffman.rs @@ -261,7 +261,7 @@ fn derive_huffman_codes(bits: &[u8; 16]) -> Result<(Vec, Vec)> { // Figure C.2 let mut huffcode = vec![0u16; huffsize.len()]; let mut code_size = huffsize[0]; - let mut code = 0u16; + let mut code = 0u32; for (i, &size) in huffsize.iter().enumerate() { while code_size < size { @@ -269,11 +269,11 @@ fn derive_huffman_codes(bits: &[u8; 16]) -> Result<(Vec, Vec)> { code_size += 1; } - if code as u32 >= (1u32 << size) { + if code >= (1u32 << size) { return Err(Error::Format("bad huffman code length".to_owned())); } - huffcode[i] = code; + huffcode[i] = code as u16; code += 1; } diff --git a/tests/crashtest/images/README.md b/tests/crashtest/images/README.md index 8b2512ff..76e7c244 100644 --- a/tests/crashtest/images/README.md +++ b/tests/crashtest/images/README.md @@ -3,4 +3,5 @@ File | Source --------------------------| ------ imagetestsuite/ | The files in this directory were taken from https://code.google.com/p/imagetestsuite/ dc-predictor-overflow.jpg | Found by Wim Looman (@Nemo157) while fuzzing +derive-huffman-codes-overflow.jpg | Found by Pascal Hertleif (@killercup) while fuzzing missing-sof.jpg | Found by Corey Farwell (@frewsxcv) when fuzz testing diff --git a/tests/crashtest/images/derive-huffman-codes-overflow.jpg b/tests/crashtest/images/derive-huffman-codes-overflow.jpg new file mode 100644 index 0000000000000000000000000000000000000000..5fb1b06f7cc1c478dbe7c556f15d123cbdfc3da8 GIT binary patch literal 6354 zcmeHMcT`i^)<5^&^bjC`KK1DsLhl^|7<%u$jS3;5gc3ps)rJm(ii`>>B33|=qGB29 zI0}ej8wV7ypgzz+MIFTg7Sz0xi0B{Rx4v2Lk8iy-%YAe2`DLGdes}ME!s3@3$#uyP zQ1o>5a0Lhgz$SPA$uP)s$>zra;Nt^y0RSX`N0a~t5dsf@%mH{A2EY^f=QIvPw5MWF z0M_sUZYm}cj#7in($!NVx)=Q%fm^#5o5uRmP{}Y^H9;&ES{oS&(hWJh)R8(Y%rFZdV;`YYYy#gsR}>qR>l@6? zP2yVdn0B^|h1u5GDZ-RkF^7?zk}OEK&So=ZN-9}7?EJU2dW`_ItGn`UIu?!1C zb3K5rUo#=AU#JQ=42ZP z($zjQILD@QMSP){pDJKT896bj8Dch*X$0?JG<6FpoX*vj@y)(<;9Cd2b>Q#U0k6Mb zN#82^+jn5j|8s?3)K07bN}MdHWq{;Q!17N>6{n^rqzV~khQ@&9=;4EtiY{m}tRaJn zee;TLYy`(}qj}`ACvO~ANbXV>c{n*m`3L&BdU(6YbRX55BNQg1iU6bt#G*hqM@D!= zB!f5%1sfG8!4u(d(}fQH{@zl~&!dcg`Z6&flXu{%fs||7{nr4U2W1h|hyE~}#TAOg zKpP-y;hW$ru}};rZb7Uff>}X4CdKhGj7keuiTQ+Q$zp;7od7_gjwH!(IHGs}C@kn_ zWOCyn4<#I8V*!sZfLO|J%T3_$AU+4Neq3@!HpH)_F)1mj&`(u|SUct`&iJn|hZ8f+ z&*8*R}1#xDz4>iG-zuBEl|01EHPJOSnfEClZOXiF!mf z(T~U>iirip?Zkt`Q^YI85#k#Xl{BAZN^&Jdk_4pHq*78H=_Kh2=>chytVq@%Ta*3B zJaP_sBY7XWjr==#ggi;1Q?w{-N-!mnvWikhIZQc2xkY(NrBazxD{26hPtBv2QIAm1 zQHQB-<&@-f<(%Xe$z{lGkUJpPE_XxjC5=YYq}kIVX=2(2S}pA~?GEjYyt2HZyoWqb zex>{l`6l@*@=q1W3K|Ly3QH7n6-pJ3EBvnTM3JnhspzE0QCy+8L$Ouyn&LQJnQlV& zqo>e|=ymk-^oL4BB~2w4C7x2gQkBw{`KRVTV$5JTFp?Q%j4sBQ>ReTK)eO}N)yt}r zOf6;zb2YPpd0UO5#!`z@+oIN~Hl{vb-A8?ydcFEh4YCGHBSB-EMz_XmO)bqZ%{7|M znh&*RX?bYnYSnAq(xz$KX{TvdYWL|7bXYn`I=ggwbkTte{oDF^{rY;So~0gNZ2~-Mv+FvM%_jqjV+9mjrSQ3nkbog znyfZyGkKwFYRWa;VcKU#GjlatY1U%)++5E*)_k}5bqnSH#(Yh6|Mz??d@R;jbXt6{ zTwp1(JZw3-Kz%{=qR&T8>t;N>Ite@E!*d*E1**sjR zwJ>(!zJ>SLOg4vI!5*?@*hbs#wH>lkwd2@T+TFERv*+1Y+dpv7aY%GH=n+G)8{yEEqO=3MA}*+t1E#HHNjjw{nO-nHI!%+11Wsav}{-rdW+*!`NvJP)o% zt;d+>0?*~1U0!ltL0;uvcfEDJMc!>bsE?=5W}jQW8omPGWd#WX_W0CBH@~L~){yN8_Wz zqU)mHbNo1!obecsn4K|WTqo`}?qi-kZwqfUmK|FX`yh@TR}%Lyo*lnAel)=@p)}zM z--%z&f1c=`xF_*-l3&t+BuR2uazhF!B|4>5pd?5Vbftcmnw{D!)Dsp6htjOmwx*4V zyhPRMNc!UR7O@Ka=XohZJLAWU;Y{1i9hq;kLbHx%)3XKHmvVG-*5y3NbkH%yLZ8+UIaY!Yl5D7GuEDWR9-mfYLyv$<&tV@u(dS6idDo-Z{o-Ls9dEo0kInRi*s zcJ=L>w!be=DDU6lxT9g`+@0%ozTU;#b!E5x?!$ZL?ODI)-Cq9Q>lJPlO_iFJrB#Hg z%&PnQLics=XYH@8o>RTP`ojUifuWkfnyy+_ZEfA$x{dW{eMbH0!9@pq4mlrcIc#va zqG4vk`Xk^-#*s%yqmK?8^E%dfoOS&0&l*4PY*cP6Y(koHn#P(Fnul53&la!PBCncwHPmQ+=+n;pAciiiY>Kr^Be!8zKpzHD(uQTV) zx}H7V?a+Pd9Q)jf^Va8EFR(5&U$nf~bjjjU<8KzfHD0#7-1Pf`-&=aDdfIvy_MW_A zcctU1^VPF`9(@=4efxU{LI$p1TXb#cI`8_!8_74G-^{!@Ihc0~f2;7e;_cEqbMI9C zOXpt=LzY9o4m%HDx*K$N@E-Tx<3G~>ct4VVpLW0W!Tblc4^1DQ7dVG!{NK@?7*>@}lVF?3V{#nZN2B_aDDAkuov)y70~HH#Kir zZ@b@xy?Zd3^`7{??1RpSwvS#PZ%I-l5+O&#k!bx-lv&`CIb+*%A_0+fzmbVSkx=0h$#6f)302O}tk!xM-k zGKH$z1sW9rieMOu!|-^iibs~id4Qwil~hd}2+9E*A~Q|JbX9Q$NzL(S$Be+k3OYZ`oS9t!#UFW!1j@)dy;7>y91&xv{CarM0c|bk~`)-RI6%1m|hVU6d~mdHBt z*BY|=KkCSIL%#H55Q=nEW*7>07sKEVfU_PeuFwuI|Ld z`y7W+ml<{7U5`R?;Bsv%Ha?+PA#HGJ;D#;V5$Agbok^Lsc1hnZ_x+F0*vumyN-j1S zbhvZ!RlwE4$N`h&;_m&X+sy0a(--TA5o5k?bnD)V`afdst5zNI3>(;-+GrSR$SJFu zp{XFyaopK^;dI$XepQOckwVMzWkqw>HkAu!)f($aq`zB$4*UD{o8VvgZ0S!J>->G) I3Tcb~4d3R0`v3p{ literal 0 HcmV?d00001