Division by zero while decoding an image

Question

Division by zero while decoding an image

HeroicKatora opened this issue 3 years ago · comments

Description

What happened? The code hits a point at which it starts panicking due to a division by zero. The relevant line by human judgment (full stack trace below):

   5: exr::meta::compute_block_count
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:217:5

A stack trace starting from `image`


---- check_regressions stdout ----
thread 'check_regressions' panicked at 'attempt to divide by zero', /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/ops/arith.rs:478:1
stack backtrace:
   0: rust_begin_unwind
             at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/std/src/panicking.rs:517:5
   1: core::panicking::panic_fmt
             at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/panicking.rs:101:14
   2: core::panicking::panic
             at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/panicking.rs:50:5
   3: <usize as core::ops::arith::Div>::div
             at /rustc/59eed8a2aac0230a8b53e89d4e99d55912ba6b35/library/core/src/ops/arith.rs:471:45
   4: exr::math::RoundingMode::divide
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/math.rs:201:33
   5: exr::meta::compute_block_count
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:217:5
   6: exr::meta::compute_chunk_count
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:325:31
   7: exr::meta::header::Header::read
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/header.rs:890:36
   8: exr::meta::header::Header::read_all
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/header.rs:714:27
   9: exr::meta::MetaData::read_unvalidated_from_buffered_peekable
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:390:23
  10: exr::meta::MetaData::read_validated_from_buffered_peekable
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/meta/mod.rs:401:25
  11: exr::block::reader::Reader<R>::read_from_buffered
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/block/reader.rs:33:25
  12: exr::block::read
             at /home/andreas/.cargo/registry/src/github.com-1ecc6299db9ec823/exr-1.4.0/src/block/mod.rs:71:5
  13: image::codecs::openexr::OpenExrDecoder<R>::with_alpha_preference
             at ./src/codecs/openexr.rs:73:26

Reproducing

Original file, gzipped becaused Github wants it (150 bytes):

clusterfuzz-testcase-minimized-fuzzer_script_exr-5503325700227072.exr.gz

See also: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36438

Environment

Operating System Linux
CPU Model x86
EXRS Version used 1.3, 1.4

Johannes Vollmer · Answer 1 · Wed Dec 01 2021 04:52:21 GMT+0800 (China Standard Time)

Thanks:) I'll have a look

Johannes Vollmer · Answer 2 · Wed Dec 01 2021 18:39:25 GMT+0800 (China Standard Time)

I suspect the tile_size value is used for calculations before the validation phase is entered. These checks for internal attributes, like the tile_size, are usually done immediately after reading the attribute, it seems like this one was forgotten and is only validated later.

If this is the case, it should be a simple fix, and will be ready in a few days

Johannes Vollmer · Answer 3 · Fri Dec 03 2021 04:34:24 GMT+0800 (China Standard Time)

should be resolved, see #145. please re-open if the issue seems to persist :)