fill_buffer fast path panics on shift overflow with malformed deflate input

[riley-pittman]

The fast path in fill_buffer (line 159) uses a bare << self.nbits shift:

self.buffer |= u64::from_le_bytes(input[..8].try_into().unwrap()) << self.nbits;

When self.nbits >= 64, this panics with "attempt to shift left with overflow" — which occurs in all build modes, not just debug.

The slow path (line 167) already handles this correctly with checked_shl:

self.buffer |= u64::from_le_bytes(input_data)
.checked_shl(self.nbits as u32)
.unwrap_or(0);

How nbits reaches 64: consume_bits guards against underflow with only a debug_assert! (compiled out in release builds). Malformed deflate data can cause the decompressor to consume more bits than are in the buffer, wrapping nbits (a u8) to a large value via unsigned subtraction. On the next fill_buffer call, the shift overflows and panics.

Impact: When used via the png crate, any malformed PNG with a corrupt deflate stream can trigger this panic. In environments using panic=abort (common in embedded/mobile), this is an instant process kill with no opportunity for error recovery.

Proposed fix (3 lines):

1. fill_buffer fast path — use checked_shl, matching the slow path:
   // before
   self.buffer |= u64::from_le_bytes(input[..8].try_into().unwrap()) << self.nbits;
   *input = &input[(63 - self.nbits as usize) / 8..];

// after
self.buffer |= u64::from_le_bytes(input[..8].try_into().unwrap())
.checked_shl(self.nbits as u32)
.unwrap_or(0);
*input = &input[(63 - self.nbits.min(63) as usize) / 8..];

2. consume_bits — use saturating_sub to prevent wrapping on malformed input:
   // before
   self.nbits -= nbits;

// after
self.nbits = self.nbits.saturating_sub(nbits);

[fintelia]

Was this report produced by an LLM? If you believe that it is possible to hit a panic there, then please provide a failing input

[fintelia]

To elaborate, it is a bug to call consume_bits and attempt to consume more than self.nbits worth. So if that were happening it would be a bug. But it isn't a bug that the rest of the code doesn't handle bogus values for nbits that would occur if it underflowed.

[riley-pittman]

Hello! Apologies for not providing much context. We are currently testing replacing our c PNG decoder in Facebook with this rust one (for security reasons) https://github.com/image-rs/image-png. It's rare, but are seeing a few users crash with the following stack trace

Signal: SIGTRAP (panic=abort on ARM64)
#0 fdeflate::decompress::Decompressor::fill_buffer
→ core::panicking::panic (panic.rs:177)
#1 fdeflate::decompress::Decompressor::read
→ decompress.rs:621
#2 png::decoder::stream::StreamingDecoder::update
→ zlib.rs:227
#3 png::decoder::read_decoder::ReadDecoder::decode_next
→ read_decoder.rs:71
#4 png::decoder::read_decoder::ReadDecoder::decode_image_data
→ read_decoder.rs:117
#5 png::decoder::unfiltering_buffer::UnfilteringBuffer::with_unfilled_buffer
→ mod.rs:712
#6 png::decoder::Reader::next_raw_interlaced_row
→ mod.rs:712
#7 png::decoder::Reader::next_interlaced_row_impl
→ mod.rs:610
#8 png::decoder::Reader::read_row
→ mod.rs:575
#9 png::decoder::Reader::next_interlaced_row
→ mod.rs:530
#10 png::decoder::Reader::next_row
→ mod.rs:517

Unfortunately I do not get the offending PNG in our telemetry. I've set up a few fuzzers but no luck so far in reproducing the crash. I've created a local patch to test the 'fix' and see if users stop crashing but it will take multiple weeks to verify (will report back).

[fintelia]

Based on that backtrace and reading the generated assembly, I believe that the shift doesn't cause a panic but when nbits>=64, the next line underflows on the slice indexing calculation and panics.

To figure out why nbits is out of range, it may be worth upgrading the debug_assert! in the consume method to an assert!. That would give a backtrace on which call site is causing the underflow.

[riley-pittman]

Ok so I shipped a patch which adds checked_shl on the fast path, saturating_sub in consume_bits, .min(63) guard on the subtraction and it has been live for a few weeks now and we've seen in-the-wild crashes drop to 0.

I was never able to reproduce the crash with fuzzers.

I've just now added logging on consume_bits to capture the call site, self.nbits, and nbits values when the underflow condition fires. Will take some time for it to roll out and i'll report back