Image.Load throws ExecutionEngineException

Question

Image.Load throws ExecutionEngineException

Metalnem opened this issue 5 years ago · comments

Nemanja Mijailovic commented 5 years ago

Prerequisites

I have written a descriptive issue title
I have verified that I am running the latest version of ImageSharp
I have verified if the problem exist in both DEBUG and RELEASE mode
I have searched open and closed issues to ensure it has not already been reported

Description

Image.Load throws ExecutionEngineException when loading malformed JPG file. The stack trace looks almost the same as in the #827, which probably means the previous issue hasn't been fixed completely.

Steps to Reproduce

Run the following code snippet with the path variable containing the path to the file from the attached archive:

Image.Load(path);

SOS exception details:

Exception object: 000000018eb911f8
Exception type:   System.ExecutionEngineException
Message:          <none>
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80131506

Stack trace:

00007FFEE12723E0 00007fff785f923e [FaultingExceptionFrame: 00007ffee12723e0] 
00007FFEE1273850 000000011DC57772 SixLabors.ImageSharp.Formats.Jpeg.Components.Decoder.HuffmanTable..ctor(SixLabors.Memory.MemoryAllocator, System.ReadOnlySpan`1<Byte>, System.ReadOnlySpan`1<Byte>) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/Components/Decoder/HuffmanTable.cs @ 114]
00007FFEE12738E0 000000011DC56D55 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ProcessDefineHuffmanTablesMarker(Int32)
00007FFEE1274000 000000011DC51FF7 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ParseStream(System.IO.Stream, Boolean) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 313]
00007FFEE1274060 000000011DC51285 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 223]
00007FFEE1274080 000000011DC510D5 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoder.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoder.cs @ 25]
00007FFEE12740C0 000000011DC4E937 SixLabors.ImageSharp.Image.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream, SixLabors.ImageSharp.Configuration) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.Decode.cs @ 103]
00007FFEE1274120 000000011DC4E42C SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream, SixLabors.ImageSharp.Formats.IImageFormat ByRef) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromStream.cs @ 177]
00007FFEE1274190 000000011DC4E2CB SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, Byte[]) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromBytes.cs @ 123]

System Configuration

ImageSharp version: master - 8f3658d
Environment (Operating system, version and so on): Mac OS X 10.14
.NET Framework version: .NET Core 2.2.104

Found via SharpFuzz.

Anton Firszov · Answer 1 · Mon Feb 25 2019 00:13:47 GMT+0800 (China Standard Time)

@Metalnem what is the simplest way to produce malformed input for a given format? Is my understanding correct that I need to learn afl-fuzz for this?

Nemanja Mijailovic · Answer 2 · Mon Feb 25 2019 15:26:05 GMT+0800 (China Standard Time)

Yes, you will have to learn afl-fuzz for this. But that's relatively easy thing to do: I wrote a step-by-step tutorial on SharpFuzz installation and usage here. You can also find my ImageSharp fuzzing project here. If you have any troubles setting up SharpFuzz, or any additional questions, just send me an email and I'll assist you.

Dmitry · Answer 3 · Sun Jan 09 2022 10:04:39 GMT+0800 (China Standard Time)

Note if this issue would come up again:

Attached image is malformed, weird things start at DHT (0xffc4) marker. Huffman values are malformed in a way huffman table building code was going out of bounds corrupting memory and CLR state which led to ExecutionEngineException. Runtime doesn't use this exception nowadays:

ExecutionEngineException previously indicated an unspecified fatal error in the runtime. The runtime no longer raises this exception so this type is obsolete.

So it's kind of unspottable without manual debugging.

This problem was fixed here: #1926