Merge pull request #704 from imazen/fix/gif-security-hardening-v2

fix: harden GIF decoder against malformed input

Author: lilith

imageflow_core/src/codecs/gif/disposal.rs

@@ -28,17 +28,17 @@ impl<Pixel: Copy> Default for Disposal<Pixel> {
 
 impl<Pixel: Copy> Disposal<Pixel> {
     pub fn dispose(&mut self, pixels: &mut [Pixel], stride: usize, bg_color: Pixel) {
-        if self.width == 0 || self.height == 0 {
-            return;
-        }
-
-        let pixels_iter = pixels.iter_mut().subimage(
-            self.left as usize,
-            self.top as usize,
+        let (w, h, l, t) = (
             self.width as usize,
             self.height as usize,
-            stride,
+            self.left as usize,
+            self.top as usize,
         );
+        if w == 0 || h == 0 || l.saturating_add(w) > stride {
+            return;
+        }
+
+        let pixels_iter = pixels.iter_mut().subimage(l, t, w, h, stride);
         match self.method {
             Background => {
                 for px in pixels_iter {
@@ -56,25 +56,26 @@ impl<Pixel: Copy> Disposal<Pixel> {
         }
     }
 
-    pub fn new(frame: &gif::Frame, pixels: &[Pixel], stride: usize) -> Self {
+    pub fn new(frame: &gif::Frame, pixels: &[Pixel], stride: usize, canvas_height: usize) -> Self {
+        // Clip frame bounds to canvas dimensions.
+        let l = (frame.left as usize).min(stride);
+        let t = (frame.top as usize).min(canvas_height);
+        let w = (frame.width as usize).min(stride.saturating_sub(l));
+        let h = (frame.height as usize).min(canvas_height.saturating_sub(t));
+        let valid = w > 0 && h > 0;
+
         Disposal {
             method: frame.dispose,
-            left: frame.left,
-            top: frame.top,
-            width: frame.width,
-            height: frame.height,
+            left: l as u16,
+            top: t as u16,
+            width: w as u16,
+            height: h as u16,
             previous_pixels: match frame.dispose {
-                Previous => Some(
+                Previous if valid => Some(
                     pixels
                         .iter()
                         .cloned()
-                        .subimage(
-                            frame.left as usize,
-                            frame.top as usize,
-                            frame.width as usize,
-                            frame.height as usize,
-                            stride,
-                        )
+                        .subimage(l, t, w, h, stride)
                         .collect(),
                 ),
                 _ => None,

imageflow_core/src/codecs/gif/screen.rs

@@ -31,7 +31,7 @@ impl Screen {
 
         let pixels = reader.width() as usize * reader.height() as usize;
         let bg_color = if let (Some(bg_index), Some(pal)) = (reader.bg_color(), pal.as_ref()) {
-            pal[bg_index]
+            pal.get(bg_index).copied().unwrap_or_default()
         } else {
             BGRA8::default()
         };
@@ -56,27 +56,39 @@ impl Screen {
             .or(self.global_pal.as_ref())
             .ok_or("the frame must have _some_ palette")?;
 
+        // Clip frame bounds to canvas (matches browser behavior for malformed GIFs).
+        let left = (frame.left as usize).min(self.width);
+        let top = (frame.top as usize).min(self.height);
+        let sub_w = (frame.width as usize).min(self.width.saturating_sub(left));
+        let sub_h = (frame.height as usize).min(self.height.saturating_sub(top));
+
         self.disposal.dispose(&mut self.pixels, self.width, self.bg_color);
-        self.disposal = Disposal::new(frame, &self.pixels, self.width);
+        self.disposal = Disposal::new(frame, &self.pixels, self.width, self.height);
+
+        if sub_w == 0 || sub_h == 0 {
+            return Ok(());
+        }
+
+        // Offset into the frame's pixel buffer to account for clipping.
+        let frame_left_clip = left.saturating_sub(frame.left as usize);
+        let frame_top_clip = top.saturating_sub(frame.top as usize);
 
         for (dst, &src) in self
             .pixels
             .iter_mut()
-            .subimage(
-                frame.left as usize,
-                frame.top as usize,
-                frame.width as usize,
-                frame.height as usize,
-                self.width,
+            .subimage(left, top, sub_w, sub_h, self.width)
+            .zip(
+                buffer
+                    .iter()
+                    .subimage(frame_left_clip, frame_top_clip, sub_w, sub_h, frame.width as usize),
             )
-            .zip(buffer.iter())
         {
             if let Some(transparent) = frame.transparent {
                 if src == transparent {
                     continue;
                 }
             }
-            *dst = pal[src as usize];
+            *dst = pal.get(src as usize).copied().unwrap_or(BGRA8 { r: 0, g: 0, b: 0, a: 0 });
         }
 
         Ok(())

imageflow_core/tests/crash_repro/gif_bad_bg_index.gif

@@ -373,6 +373,243 @@ fn test_gif_palette_bounds() {
     }
 }
 
+// =============================================================================
+// GIF frame bounds clipping (frames extending beyond canvas)
+// =============================================================================
+
+#[test]
+fn test_gif_frame_exceeds_canvas() {
+    let gif =
+        fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_frame_exceeds_canvas.gif"))
+            .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF with frame exceeding canvas handled safely (clipped)"),
+        Err(e) => panic!("Panic on GIF with frame exceeding canvas: {:?}", e),
+    }
+}
+
+#[test]
+fn test_gif_overflow_frame_position() {
+    let gif =
+        fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_overflow_frame_pos.gif"))
+            .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF with overflow frame position handled safely"),
+        Err(e) => panic!("Panic on GIF with overflow frame position: {:?}", e),
+    }
+}
+
+#[test]
+fn test_gif_zero_size_frame() {
+    let gif =
+        fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_zero_size_frame.gif"))
+            .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF with zero-size frame handled safely"),
+        Err(e) => panic!("Panic on GIF with zero-size frame: {:?}", e),
+    }
+}
+
+// =============================================================================
+// GIF invalid background color index
+// =============================================================================
+
+#[test]
+fn test_gif_bad_bg_index() {
+    let gif = fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_bad_bg_index.gif"))
+        .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF with invalid bg_index handled safely"),
+        Err(e) => panic!("Panic on GIF with invalid bg_index: {:?}", e),
+    }
+}
+
+// =============================================================================
+// GIF out-of-bounds palette index in pixel data
+// =============================================================================
+
+#[test]
+fn test_gif_oob_palette_in_pixels() {
+    let gif =
+        fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_oob_palette_index.gif"))
+            .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF with OOB palette indices in pixel data handled safely"),
+        Err(e) => panic!("Panic on GIF with OOB palette index: {:?}", e),
+    }
+}
+
+// =============================================================================
+// GIF frame buffer OOB (existing crash repro)
+// =============================================================================
+
+#[test]
+fn test_gif_frame_buffer_oob() {
+    let gif =
+        fs::read(repo_root().join("imageflow_core/tests/crash_repro/gif_frame_buffer_oob.gif"))
+            .expect("read fixture");
+    let mut ctx = create_context();
+    let _ = ctx.add_copied_input_buffer(0, &gif);
+
+    let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+        let _ = ctx.add_output_buffer(1);
+        let _ = ctx.build_1(s::Build001 {
+            builder_config: None,
+            io: vec![
+                s::IoObject {
+                    direction: s::IoDirection::In,
+                    io_id: 0,
+                    io: s::IoEnum::Placeholder,
+                },
+                s::IoObject {
+                    direction: s::IoDirection::Out,
+                    io_id: 1,
+                    io: s::IoEnum::OutputBuffer,
+                },
+            ],
+            framewise: s::Framewise::Steps(vec![
+                s::Node::Decode { io_id: 0, commands: None },
+                s::Node::Encode { io_id: 1, preset: s::EncoderPreset::Gif },
+            ]),
+        });
+    }));
+
+    match result {
+        Ok(_) => println!("GIF frame buffer OOB handled safely"),
+        Err(e) => panic!("Panic on GIF frame buffer OOB: {:?}", e),
+    }
+}
+
 // =============================================================================
 // WebP with oversized RIFF claim
 // =============================================================================