Division by zero while decoding an image
HeroicKatora opened this issue · comments
Description
What happened? The code hits a point at which it starts panicking due to a division by zero. The relevant line by human judgment (full stack trace below):
5: exr::meta::compute_block_count
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:217:5
A stack trace starting from `image`
---- check_regressions stdout ----
thread 'check_regressions' panicked at 'attempt to divide by zero', /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/ops/arith.rs:478:1
stack backtrace:
0: rust_begin_unwind
at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/std/src/panicking.rs:517:5
1: core::panicking::panic_fmt
at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/panicking.rs:101:14
2: core::panicking::panic
at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/panicking.rs:50:5
3: <usize as core::ops::arith::Div>::div
at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/ops/arith.rs:471:45
4: exr::math::RoundingMode::divide
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/math.rs:201:33
5: exr::meta::compute_block_count
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:217:5
6: exr::meta::compute_chunk_count
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:325:31
7: exr::meta::header::Header::read
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/header.rs:890:36
8: exr::meta::header::Header::read_all
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/header.rs:714:27
9: exr::meta::MetaData::read_unvalidated_from_buffered_peekable
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:390:23
10: exr::meta::MetaData::read_validated_from_buffered_peekable
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:401:25
11: exr::block::reader::Reader<R>::read_from_buffered
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/block/reader.rs:33:25
12: exr::block::read
at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/block/mod.rs:71:5
13: image::codecs::openexr::OpenExrDecoder<R>::with_alpha_preference
at ./src/codecs/openexr.rs:73:26
Reproducing
Original file, gzipped becaused Github wants it (150 bytes):
clusterfuzz-testcase-minimized-fuzzer_script_exr-5503325700227072.exr.gz
See also: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36438
Environment
- Operating System Linux
- CPU Model x86
- EXRS Version used
1.3
,1.4
Thanks:) I'll have a look
I suspect the tile_size value is used for calculations before the validation phase is entered. These checks for internal attributes, like the tile_size, are usually done immediately after reading the attribute, it seems like this one was forgotten and is only validated later.
If this is the case, it should be a simple fix, and will be ready in a few days
should be resolved, see #145. please re-open if the issue seems to persist :)