From edd260fe7e7060fd659dcf75f56858d2770480e7 Mon Sep 17 00:00:00 2001 From: Bastian Kersting Date: Fri, 31 Oct 2025 06:17:35 +0000 Subject: [PATCH] Don't panic if LZW doesn't find an LZW end code Currently, when getting the LZWStatus::NoProgress from the underlying weezl library, tiff checks that no input bytes were read and no output bytes were written. Although this is according to what the weezl library mentions in their doc-comment, it's not what the real result always looks like. Our fuzzer found input that triggered exactly this case, where the LZW reader is able to write some output byte before hitting the NoProgress status. This change removes the assert, as the resulting action is anyways to return an error that can be handled by the caller. --- src/decoder/stream.rs | 3 --- .../oor_panic/sample-get-lzw-stuck.tiff | Bin 0 -> 7048 bytes 2 files changed, 3 deletions(-) create mode 100644 tests/fuzz_images/oor_panic/sample-get-lzw-stuck.tiff diff --git a/src/decoder/stream.rs b/src/decoder/stream.rs index 6330969c..9e972a91 100644 --- a/src/decoder/stream.rs +++ b/src/decoder/stream.rs @@ -186,9 +186,6 @@ impl Read for LZWReader { } } Ok(weezl::LzwStatus::NoProgress) => { - assert_eq!(result.consumed_in, 0); - assert_eq!(result.consumed_out, 0); - assert!(self.reader.buffer().is_empty()); return Err(io::Error::new( io::ErrorKind::UnexpectedEof, "no lzw end code found", diff --git a/tests/fuzz_images/oor_panic/sample-get-lzw-stuck.tiff b/tests/fuzz_images/oor_panic/sample-get-lzw-stuck.tiff new file mode 100644 index 0000000000000000000000000000000000000000..d62df78eb9608565ab9472af99b4cd551e09febd GIT binary patch literal 7048 zcmeH~k9QMQ+Q;v`Gm}gvlVqBvX_|(1lK!xSS^}bUvB0F1QYu1#!j>Q61hf>bP!O@8 zZEr$by8I}GEo@{Jhg!SczKB^CyA=^91uCz0p+G@I#7RL!tQdC@D^}dFhxfex0q;5Q zIeVOYo^wCv&NFxJ%$etVzcY2J6VLzvBLI*9FiKBE1K#6|D5EG7(f(F6hfiHRjdJ2Wz7b{HFY+^f!J{AohUodM=*>q*+4S!@02qHS=kA(v@A2J< zC;fu+Ao=gL(b4hA_jo9pKRcRpcP*y77e|kRXxzpB={az>g)#wHAC0_djE|nab3XvS z`FAt#w$ZLpW5>C&$BiDvk9zPfjCBFevWh3mp7E|;v5J2n>mh&v&|nZi`#^*6C>PsD zz5s*ra!<-l#zz>0Z-j@-xd8c+Z&I*0$1M4&TTpNARR7g2bL$3d z5h~kP=voyp|ADGUlsJEk`EM#a-0br1wX~^XV2`vc)l#C4U$2SDX4kAqOgWCavWprP zq-0LDrVLLzFm1&4nwo9yoTS{6?Q?5hpBZ;?&I;3|)bD-}7S3GS^!Lvn3_rSks&CcW zg@>1pedXk})$1Oc@TcFt@zKDV7Zx7=;`w*axIwZ&G*VaLc#M@%#q4=P#JxD*6L*VR z3!B7M3U4O=AQtpev@-8SY6}p9s#>`nC z#4mHGbn?m;wFY~?CDX)}{0?8M$0quea%;9Ptc=l9Q`)NH=@h9xj-Fgzv$X#8l>Br{ zfAQgTTW;y1`?ffIhwfA7Zrh*oJCxn$)ccq9WbEw!ojGHD^SkNyZwwXJebcw&{zqq@ zjeB&?oU;vYHvtt--vC<#y0sPyl8V7g235u2Nek@-Pe=>_F4KCIkD|G?P}OEM`ar;l zU@d3P@@+V7wZLO-Nx85km8MBC(8B0MX+P5daFVK)KR(0)9BelD?3R9Qll;b5o$qy! zse-M8j%3*4(NBZnh$9g>utN)#Mk5csjeI5iLQH-r0j#Z1)qv7gb&^tEOcVUtL6u*q zSfoypu~Ub`-qz%up+Tb~aWTKnkBg5_kI1&H;ErM@i=u5RfF^ZnhtWyRa3CHRJ9x| z#i}g4L77i-j|V-c~!3HR+D1+An_8IjTYzVb-ehnpX*WE+Z-C#W{89(bhsuJ z2!T{oT&G#WrfrgUjrTV`&ENs2Ke#&Vwt?X04}Ta~ajpYc&hy=Mh0uhDH-7i~Hb`fC@C)VuW%8L&v@c zkrPB0)*HlZCytDsF9-C* zn_zt(+Uj9P;p|r+x40zTIQpg+)f(ubsFk0ec#sj76YXOH)ZbZX+(hWk}E+nqj zY{pKl91I}^>xjlNBjw(&2r*Spiq1?tI7BXaF$VWeO;gGCSgB0(i5I9T*J4a9eH7En zL)>VFWuB=(p^>VQR!JF?eKCg!+^f?My#0HiG|ZPPUV~widW*}(fQrAsBLbsUCfIzz zpJ_+L{<}z{2?;Yaypm3cyPRE5$C=%E^QjoW$uImiJ|qw|q17gUXOpmCCFQFz#{rhP ze9c*_?4!GmZ{D!_vHpb%wyZqM$AiUf(BDW87x+hkR6uA2_BVp-9nde3px5XU3g$pz zFNHmp5s!IvdYtVtihPEQ$DmxBW($|@1X2fTwrO>#c~p0KJmkxgq1>k?1H(AHdYNy4 zNs{GFiTlBVd zWPa(VHo;$vVr7~IE(LUpgj(XnWPwfq8J_@2By^4JD3Cq$KHyhn_8M8>iG^M{`r!4% zlulMXvr%L9;f@b{{C%X{W74`NWMQe9 zIMSxBg`ELL zT?NO2gnEZWssKGw$T$V00HKxHaUi1&jvH8wXO_UPDwe^x%w>2bCWiNZ0dN4(jf@>< zRDmPYQ2y6xfG&T3(UPH9jc3+4Ir1~ySZ?vboy4&MU7|2%0>(kK9Lf17(E74hXkwXdKpcNeY z(xm}Gb`IDJ>?UBJ3+yGpo(_a2aQtN;sh~is1ez0R15dLu6DOIiSZ@}XjdBhMPXl4@ z9g$<@RCI*{;cjTJfc$1Ce*Wwel~ac|ei7c^m&CcK)l7cuUK7}>>m_iCgH z#$Cejoy^l+aZ)Qm7i#SVT6+?6V;!N$EomJ(MUEE_8-r@_ZLMWx{W$L>z&8Tn4se$M z;XH8P0=~J$ku2a_2)0^)$iyqO^^E~&zXF1@Vz53@(d#j%k~uYR1F|(y)*lis!6_xQ zXjUsG4M^9^sj)Rdq-sKcxs8M?FnodV9i?DB8Qw|3Jc=(N!(~L+Pbg0j*n#Yg2sa_H zA1E8ta@2lXVu1A~Pktm=OT=C%FM_^1(96JZ0Rkn+u}}|;6O{oN>Op)C5+X2MN{Fp0 z-$hy;P|Mx4oT`x|jZA8k@*1U8rLLPk|cui*!1>7d5DTB9u2D1Dke=NUf0 zY%A2u%__b{4VpRpGR3#6<)B__OO)Cv+>wMk)Ji8O9gGp=c(7lE59oPWEgz1@$3`|i znZJBHDKqf}tsvwF@*xoZ(56I9fzc)z6M=~p;&t}T5I>$KTDOd#^*m2u$1urZ0;zw( zZ3qt_$&dE1NZuax5(HRB*w+yDokYzF#@j^fVF>v;q1+(hbRv9%3}2_*A5d;R4PWB;uNbvwj@f%VTxJ%RX>8GVXF(|y`&K>CfT9EjxAv)>|dzE zJT0bZ^G#YMT`dbFzdV`WY~dSz1ec-?g8?~=FIpyJG-2mkpjF$H#B5ubD7VFndxwd8 zRZ_cE?0~#%1sz7Q6X71c5{v-{82$sp)*kl2vW4IEz75-f5G|YwK)4OuS-{PJnfnZY zqXAtg_H?+HR5+8TtJG0YQ?5;@1(_-HPU8H zcr)WY!MM9M;R0sr1+Cm>+va%-wCh38!Urw*03jVP@*OI0FoEy5hR?BH6T9a&i-%ae zn3YHC;?6w#y&%~I(7chsBob9gGD#ov1Me%tcq1h;Q6FLuSewFHC3cv|Ci8p}HX9TM z-YA_Y8;MCnP|PGi11!vlQ8-KVUF}~3!qM-UC*BuX(WnwFD%tWKUkKf~gl{tyGE?FZ zC5n`Ij+6#bXdMb)M4^WW5JWy9O)`_RDLz;R-CZzLhIUMU4@3|c1D~}4C5by(g;a&H zAe~dPjG`mD8xz2xl`@j}X|wq48t-)ttk;A&MmWsaXK9pl299OmKjZLTgU~WekZe*b z6c60yd$ri8Jy2{AI{t%E0uMlriBCJMj+(AfqZ?4Z%5*7#0Qa_ML|I$ z?9%um8}a^lQPS|c5<#<7+^rLvljT;UvO7kU*7<-Y#4&p^wcgW=J(cm@(b^dXRxy04 zHrzK>ZrAdM6ZtkX-j^_Q{l?q&=CoP=yUqOv2)^>G;QuQ4zY6|;jNoVgUkHBeuY&(e z!8c(R0X?N~v5JuuOjgOnNoHg2ZRl-)b9-Rx@;J$+i02SYN1zbdPqd0oR?LLLNPoyl zsB3g`Caa95#F%Wh_&_WLkXud5><^xtakN_HVxS3PhAs?Xl%_hDv25%%VH^rxQZAiQg zUAaDhuw;3-ILRlazyc>FB$L4;N>24PI@f2U`GU6f6((ZNgFcTAdd5O=M6mh=@c(gC zjyzL2v9EH**~-VyRj&A`vif}G){iS+y>Nf!o1av^cd_#1rws{H1&%Ab`gL%1rr zziQ;=s)<*sW_(`t_|>WvUsP3JtJ?Zy)vMR5-u$ZSy@9HeUsrv0qw1S)s(y}C8@{bh z{zvu5e^yVtSv}*s>c?+YulT;Yda!!y57n>Uu72~!>i34KPyST>*&P}nitxL|-io~R zIBne|Z|`7Dep>9t$%{`_94&b;v0=)RQ$LV(lT)@&ed6@myw*7*c0Tgt=^tvkpL}4~ zqa|n79=-b9!@FlJJ#(8<)lO=jS=zU5a{7)(T4yioyIq_A`t0^OPn}(NtmLf)`+ocM z*&nI8V@vkWD?9hXf>0pFex>vE?7VaO~=LFC2b+#YaObHMPFWTYmn< z{QKfIbuU?YeyDCr+V4Mja@EH#b}xPKk0+Ks`|(ez4U=Cxy=?V`%KSgg`LA7$ zy7!;_>xF05d{Wu{#dGgmTJiiRchu_IBmFBYE>=ysZ^wsMpIv+L&W0(kpSk|rx=*X# zU;5T3H=cjt)1TEFj$Qu8+85u>`tbBn$kj93_TQs>&g7gL^Y_^cKYr-%XI>0vpP2pf zm*Y;HIrMGL$=Mfwm~isUPf+MB8m7tZ?HeDHcdF>Ig#1%|mG*+uMXwAmJl*&1sA*@4 yKK;$~Gkrg~J$-YAO`X+ucKpnuvvVGsH}~w>N^kMGIj=06f9~wND;I|9>3;$DYXPhP literal 0 HcmV?d00001