Panic when decoding JPEG: range end index out of range for slice

[Yomihay-qut]

Description
Hello, I discovered a panic in zune-jpeg (version 0.5.5) while fuzzing image-tiff with cargo-fuzz. The parser panics with an index out of bounds error in src/mcu.rs.

The issue seems to occur during the post-processing of MCU blocks, where a slice access uses an index that exceeds the slice length.

Panic Location
src/mcu.rs:596:44

Reproduction Code
Here is a minimal reproduction case that triggers the crash (using cargo fuzz):

1. Clone the repository.
2. Run the fuzzer with the provided crash artifact.

cargo fuzz run decode_image fuzz/artifacts/decode_image/crash-916ae517a53265acbdfae0bbb2df69bfe46e3cf6

Stack Trace

thread '<unnamed>' panicked at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:596:44:
range end index 5248 out of range for slice of length 5120
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::slice::index::slice_index_fail::do_panic::runtime
   3: core::slice::index::slice_index_fail
   4: core::slice::index::index
   5: core::slice::index::index
   6: <zune_jpeg::decoder::JpegDecoder<zune_core::bytestream::reader::no_std_readers::ZCursor<alloc::vec::Vec<u8>>>>::post_process::{closure#1}
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:596:44
   7: <zune_jpeg::decoder::JpegDecoder<zune_core::bytestream::reader::no_std_readers::ZCursor<alloc::vec::Vec<u8>>>>::post_process
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:699:13
   8: <zune_jpeg::decoder::JpegDecoder<zune_core::bytestream::reader::no_std_readers::ZCursor<alloc::vec::Vec<u8>>>>::decode_mcu_ycbcr_baseline
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/mcu.rs:254:26
   9: <zune_jpeg::decoder::JpegDecoder<zune_core::bytestream::reader::no_std_readers::ZCursor<alloc::vec::Vec<u8>>>>::decode
             at /home/zx/.cargo/registry/src/rsproxy.cn-e3de039b2554c837/zune-jpeg-0.5.5/src/decoder.rs:208:14

Environment

• zune-jpeg version: 0.5.5
• Rust: stable (used via cargo-fuzz)
• OS: Linux

Multiple samples

• Multiple fuzzing artifacts in Panic_IndexOOB__zune-jpeg-0.5.5_src_mcu.rs_596.zip reproduce this crash; include one of these artifacts when testing.

Panic_IndexOOB__zune-jpeg-0.5.5_src_mcu.rs_596.zip

[197g]

@Yomihay-qut While the discovery seems to work with your workflow, please don't include any 'suggestion', 'analysis', or 'suggested-fix' from the LLM that you haven't been able to verify yourself. I've just mentally skipped right over it, it seems completely irrelevant. Way too generic and cautious.. ("This likely involves color conversion or upsampling"). The one in #316 is particularly egregious.

[Yomihay-qut]

@Yomihay-qut While the discovery seems to work with your workflow, please don't include any 'suggestion', 'analysis', or 'suggested-fix' from the LLM that you haven't been able to verify yourself. I've just mentally skipped right over it, it seems completely irrelevant. Way too generic and cautious.. ("This likely involves color conversion or upsampling"). The one in #316 is particularly egregious.

Understood. I will refrain from including unverified LLM analysis in the future and stick to the raw crash logs. Sorry for the noise....

[Yomihay-qut]

I have updated issues #315 and #316 to remove the LLM analysis and suggestions. Here is the fuzz_target code I used during testing:

fuzz_targets.zip

[197g]

Thank you so much, that is much more digestible.