Treat UnexpectedEof under parse_chunk as a FormatError.

Fuzzing found a broken PNG file where an `fcTL` chunk is too short, and where `read_be` or `read_exact` in `parse_fctl` returns `UnexpectedEof`. This file was saved under `fuzz/corpus/buf_independent/regressions`. Before this commit, the input above would mislead the client/fuzzer code into thinking that there is a recoverable error that may go away after more PNG bytes are available. (This was incorrect because `parse_chunk` and `parse_fctl` are only called after gathering *all* the bytes of a chunk into `ChunkState::raw_bytes`.) But when the client tried resuming, we got into an infinite loop because `StreamingDecoder` has already given up and set `state` to `None`. After this commit, the timeout is avoided by properly indicating a non-recoverable error in such a situation.
image-rs · Sep 24, 2024 · 3bc310d · 3bc310d
1 parent ab0e86c
commit 3bc310d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/...orpus/buf_independent/regressions/minimized-from-a1a0f9ae81d63ecf08d1cd0efbc73e40e7909681 b/...orpus/buf_independent/regressions/minimized-from-a1a0f9ae81d63ecf08d1cd0efbc73e40e7909681
diff --git a/src/decoder/stream.rs b/src/decoder/stream.rs
@@ -250,6 +250,10 @@ pub(crate) enum FormatErrorInner {
     UnexpectedRestartOfDataChunkSequence {
         kind: ChunkType,
     },
+    /// Failure to parse a chunk, because the chunk didn't contain enough bytes.
+    ChunkTooShort {
+        kind: ChunkType,
+    },
 }
 
 impl error::Error for DecodingError {
@@ -376,6 +380,9 @@ impl fmt::Display for FormatError {
             UnexpectedRestartOfDataChunkSequence { kind } => {
                 write!(fmt, "Unexpected restart of {:?} chunk sequence", kind)
             }
+            ChunkTooShort { kind } => {
+                write!(fmt, "Chunk is too short: {:?}", kind)
+            }
         }
     }
 }
@@ -951,9 +958,22 @@ impl StreamingDecoder {
             _ => Ok(Decoded::PartialChunk(type_str)),
         };
 
-        if parse_result.is_err() {
+        let parse_result = parse_result.map_err(|e| {
             self.state = None;
-        }
+            match e {
+                // `parse_chunk` is invoked after gathering **all** bytes of a chunk, so
+                // `UnexpectedEof` from something like `read_be` is permanent and indicates an
+                // invalid PNG that should be represented as a `FormatError`, rather than as a
+                // (potentially recoverable) `IoError` / `UnexpectedEof`.
+                DecodingError::IoError(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => {
+                    let fmt_err: FormatError =
+                        FormatErrorInner::ChunkTooShort { kind: type_str }.into();
+                    fmt_err.into()
+                }
+                e => e,
+            }
+        });
+
         parse_result
     }