Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image.Load throws ExecutionEngineException #839

Closed
4 tasks done
Metalnem opened this issue Feb 20, 2019 · 3 comments
Closed
4 tasks done

Image.Load throws ExecutionEngineException #839

Metalnem opened this issue Feb 20, 2019 · 3 comments
Assignees
@JimBobSquarePants
Labels
bug formats:jpeg
Milestone
1.0.0-rc1

Comments

@Metalnem
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am running the latest version of ImageSharp
  • I have verified if the problem exist in both DEBUG and RELEASE mode
  • I have searched open and closed issues to ensure it has not already been reported

Description

Image.Load throws ExecutionEngineException when loading malformed JPG file. The stack trace looks almost the same as in the #827, which probably means the previous issue hasn't been fixed completely.

Steps to Reproduce

Run the following code snippet with the path variable containing the path to the file from the attached archive:

Image.Load(path);

SOS exception details:

Exception object: 000000018eb911f8
Exception type:   System.ExecutionEngineException
Message:          <none>
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80131506

Stack trace:

00007FFEE12723E0 00007fff785f923e [FaultingExceptionFrame: 00007ffee12723e0] 
00007FFEE1273850 000000011DC57772 SixLabors.ImageSharp.Formats.Jpeg.Components.Decoder.HuffmanTable..ctor(SixLabors.Memory.MemoryAllocator, System.ReadOnlySpan`1<Byte>, System.ReadOnlySpan`1<Byte>) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/Components/Decoder/HuffmanTable.cs @ 114]
00007FFEE12738E0 000000011DC56D55 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ProcessDefineHuffmanTablesMarker(Int32)
00007FFEE1274000 000000011DC51FF7 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.ParseStream(System.IO.Stream, Boolean) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 313]
00007FFEE1274060 000000011DC51285 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoderCore.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs @ 223]
00007FFEE1274080 000000011DC510D5 SixLabors.ImageSharp.Formats.Jpeg.JpegDecoder.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoder.cs @ 25]
00007FFEE12740C0 000000011DC4E937 SixLabors.ImageSharp.Image.Decode[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](System.IO.Stream, SixLabors.ImageSharp.Configuration) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.Decode.cs @ 103]
00007FFEE1274120 000000011DC4E42C SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, System.IO.Stream, SixLabors.ImageSharp.Formats.IImageFormat ByRef) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromStream.cs @ 177]
00007FFEE1274190 000000011DC4E2CB SixLabors.ImageSharp.Image.Load[[SixLabors.ImageSharp.PixelFormats.Rgba32, SixLabors.ImageSharp]](SixLabors.ImageSharp.Configuration, Byte[]) [/Users/Metalnem/Temp/ImageSharp/src/ImageSharp/Image.FromBytes.cs @ 123]

System Configuration

  • ImageSharp version: master - 8f3658d
  • Environment (Operating system, version and so on): Mac OS X 10.14
  • .NET Framework version: .NET Core 2.2.104

Found via SharpFuzz.
@JimBobSquarePants JimBobSquarePants self-assigned this Feb 20, 2019
@JimBobSquarePants JimBobSquarePants added this to the 1.0.0-rc1 milestone Feb 20, 2019
JimBobSquarePants added a commit that referenced this issue Feb 20, 2019
@JimBobSquarePants
Lazily derive the huffman tables. Fix #839
f6a56b4
@antonfirsov
Copy link
Member

@Metalnem what is the simplest way to produce malformed input for a given format? Is my understanding correct that I need to learn afl-fuzz for this?

@Metalnem
Copy link
Author

Yes, you will have to learn afl-fuzz for this. But that's relatively easy thing to do: I wrote a step-by-step tutorial on SharpFuzz installation and usage here. You can also find my ImageSharp fuzzing project here. If you have any troubles setting up SharpFuzz, or any additional questions, just send me an email and I'll assist you.

antonfirsov pushed a commit to antonfirsov/ImageSharp that referenced this issue Nov 11, 2019
@JimBobSquarePants
Lazily derive the huffman tables. Fix SixLabors#839 (SixLabors#841)
011978e 
* Lazily derive the huffman tables. Fix SixLabors#839

* Lazy invoke fast table

* Add performance tweaks to scan decoder.

* Remove unneccessary classes.
@br3aker
Copy link
Contributor

br3aker commented Jan 9, 2022
edited
Loading

Note if this issue would come up again:

Attached image is malformed, weird things start at DHT (0xffc4) marker. Huffman values are malformed in a way huffman table building code was going out of bounds corrupting memory and CLR state which led to ExecutionEngineException. Runtime doesn't use this exception nowadays:

ExecutionEngineException previously indicated an unspecified fatal error in the runtime. The runtime no longer raises this exception so this type is obsolete.

So it's kind of unspottable without manual debugging.

This problem was fixed here: #1926

@br3aker br3aker mentioned this issue Jan 9, 2022
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JimBobSquarePants JimBobSquarePants

Labels
bug formats:jpeg
Projects
None yet
Milestone
1.0.0-rc1
Development

No branches or pull requests
4 participants
@JimBobSquarePants @Metalnem @antonfirsov @br3aker