Skip to content

Excessive Memory Allocation on Large Image Dimensions in image2::Image<T,C>::new #23

New issue
New issue
Open
Open
Excessive Memory Allocation on Large Image Dimensions in image2::Image<T,C>::new#23
@rfuzz

Description

@rfuzz
rfuzz
opened on Oct 7, 2024

While performing fuzz testing on the current library, I discovered an input that can cause a program crash. Specifically, when the width and height values of the image being read are extremely large, the function image2::image::Image<T,C>::new (image.rs:71) fails to initialize the vec, resulting in an abnormal program termination.

Here’s the relevant Rust code:

use image2::*;
fn main() {
    match Image::<f32, Rgb>::open("crash.bmp") {
        Ok(_) => { }
        Err(e) => {
            println!("Error: {:?}", e);
        }
    }
}
echo "Qk1CAAAAAAAAAD4AAAAoAAAAFc1bBxXNWwcBAAEAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///wCAAAAA" | base64 -d > crash.bmp

crash.bmp image info: biWidth 123456789, biHeight 123456789

When run, the following output is produced:

❯ valgrind ./target/debug/image2_fuzz_target_test
==1774007== Memcheck, a memory error detector
==1774007== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1774007== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1774007== Command: ./target/debug/image2_fuzz_target_test
==1774007== 
memory allocation of 182898945002286252 bytes failed
==1774007== 
==1774007== Process terminating with default action of signal 6 (SIGABRT)
==1774007==    at 0x560C9FC: __pthread_kill_implementation (pthread_kill.c:44)
==1774007==    by 0x560C9FC: __pthread_kill_internal (pthread_kill.c:78)
==1774007==    by 0x560C9FC: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89)
==1774007==    by 0x55B8475: raise (raise.c:26)
==1774007==    by 0x559E7F2: abort (abort.c:79)
==1774007==    by 0x1BA3E9: std::sys::pal::unix::abort_internal (mod.rs:373)
==1774007==    by 0x1B54D9: std::process::abort (process.rs:2366)
==1774007==    by 0x1BBB60: std::alloc::rust_oom (alloc.rs:376)
==1774007==    by 0x1BBB82: __rg_oom (alloc.rs:371)
==1774007==    by 0x1D1D8C: alloc::alloc::handle_alloc_error (alloc.rs:403)
==1774007==    by 0x1D1D79: alloc::raw_vec::handle_error (raw_vec.rs:776)
==1774007==    by 0x16A596: <T as alloc::vec::spec_from_elem::SpecFromElem>::from_elem (raw_vec.rs:438)
==1774007==    by 0x16A28B: alloc::vec::from_elem (mod.rs:3122)
==1774007==    by 0x14678D: image2::image::Image<T,C>::new (image.rs:71)
==1774007== 
==1774007== HEAP SUMMARY:
==1774007==     in use at exit: 30,157,440 bytes in 64,802 blocks
==1774007==   total heap usage: 117,217 allocs, 52,415 frees, 31,711,804 bytes allocated

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions