bep
diff --git a/‎helpers.go‎
Lines changed: 8 additions & 2 deletions b/‎helpers.go‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎imagedecoder_png.go‎
Lines changed: 9 additions & 9 deletions b/‎imagedecoder_png.go‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎imagedecoder_webp.go‎
Lines changed: 31 additions & 1 deletion b/‎imagedecoder_webp.go‎
Lines changed: 31 additions & 1 deletion
diff --git a/‎imagemeta.go‎
Lines changed: 36 additions & 26 deletions b/‎imagemeta.go‎
Lines changed: 36 additions & 26 deletions
diff --git a/‎imagemeta_fuzz._test.go‎
Lines changed: 77 additions & 0 deletions b/‎imagemeta_fuzz._test.go‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎imagemeta_test.go‎
Lines changed: 3 additions & 0 deletions b/‎imagemeta_test.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎io.go‎
Lines changed: 19 additions & 1 deletion b/‎io.go‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎metadecoder_iptc.go‎
Lines changed: 8 additions & 8 deletions b/‎metadecoder_iptc.go‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎metadecoder_xmp.go‎
Lines changed: 1 addition & 1 deletion b/‎metadecoder_xmp.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎testdata/fuzz/FuzzDecodeJPG/1ccacf70a7af5b48‎
Lines changed: 2 additions & 0 deletions b/‎testdata/fuzz/FuzzDecodeJPG/1ccacf70a7af5b48‎
Lines changed: 2 additions & 0 deletions
@@ -117,13 +117,19 @@ type float64Provider interface {
 }
 
 func (vc) convertAPEXToFNumber(byteOrder binary.ByteOrder, v any) any {
-	r := v.(float64Provider)
+	r, ok := v.(float64Provider)
+	if !ok {
+		return 0
+	}
 	f := r.Float64()
 	return math.Pow(2, f/2)
 }
 
 func (vc) convertAPEXToSeconds(byteOrder binary.ByteOrder, v any) any {
-	r := v.(float64Provider)
+	r, ok := v.(float64Provider)
+	if !ok {
+		return 0
+	}
 	f := r.Float64()
 	f = 1 / math.Pow(2, f)
 	return f
 
@@ -62,12 +62,15 @@ func (e *imageDecoderPNG) decode() error {
 			if bytes.Equal(keyword, pngRawProfileTypeIPTC) {
 				if sources.Has(IPTC) {
 					sources = sources.Remove(IPTC)
-					data := decompressZTXt(e.readBytesVolatile(int(chunkLength - zTXtKeywordLength)))
+					data, err := decompressZTXt(e.readBytesVolatile(int(chunkLength - zTXtKeywordLength)))
+					if err != nil {
+						return newInvalidFormatError(fmt.Errorf("decompressing zTXt: %w", err))
+					}
 					// ImageMagick has different headers, so make this smarter. TODO1
 					data = data[23:] // Skip the header bytes.
 					data = bytes.ReplaceAll(data, []byte("\n"), []byte(""))
 					d := make([]byte, hex.DecodedLen(len(data)))
-					_, err := hex.Decode(d, data)
+					_, err = hex.Decode(d, data)
 					if err != nil {
 						return fmt.Errorf("decoding hex: %w", err)
 					}
@@ -96,21 +99,18 @@ func (e *imageDecoderPNG) decode() error {
 }
 
 // TODO1 get rid of the panics.
-func decompressZTXt(data []byte) []byte {
+func decompressZTXt(data []byte) ([]byte, error) {
 	// The first byte after the null indicates the compression method, for which only deflate is currently defined (method zero).
 	compressionMethod := data[1]
 	if compressionMethod != 0 {
-		panic(fmt.Errorf("unknown PNG compression method %v", compressionMethod))
+		return nil, fmt.Errorf("unknown PNG compression method %v", compressionMethod)
 	}
 	b := bytes.NewReader(data[2:])
 	z, err := zlib.NewReader(b)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
 	defer z.Close()
 	p, err := io.ReadAll(z)
-	if err != nil {
-		panic(err)
-	}
-	return p
+	return p, err
 }
@@ -2,6 +2,7 @@ package imagemeta
 
 import (
 	"errors"
+	"strings"
 )
 
 var (
@@ -26,7 +27,36 @@ type InvalidFormatError struct {
 }
 
 func (e *InvalidFormatError) Error() string {
-	return e.Err.Error()
+	return "invalid format: " + e.Err.Error()
+}
+
+// Is reports whether the target error is an InvalidFormatError.
+func (e *InvalidFormatError) Is(target error) bool {
+	_, ok := target.(*InvalidFormatError)
+	return ok
+}
+
+func newInvalidFormatErrorFromString(s string) error {
+	return &InvalidFormatError{errors.New(s)}
+}
+
+func newInvalidFormatError(err error) error {
+	return &InvalidFormatError{err}
+}
+
+// These error situations comes from the Go Fuzz modifying the input data to trigger panics.
+// We want to separate panics that we can do something about and "invalid format" errors.
+var invalidFormatErrorStrings = []string{
+	"unexpected EOF",
+}
+
+func isInvalidFormatErrorCandidate(err error) bool {
+	for _, s := range invalidFormatErrorStrings {
+		if strings.Contains(err.Error(), s) {
+			return true
+		}
+	}
+	return false
 }
 
 type baseStreamingDecoder struct {
 
@@ -44,6 +44,39 @@ const (
 
 // Decode reads EXIF and IPTC metadata from r and returns a Meta struct.
 func Decode(opts Options) (err error) {
+	var base *baseStreamingDecoder
+
+	defer func() {
+		if r := recover(); r != nil {
+			if errp := r.(error); errp != nil {
+				if isInvalidFormatErrorCandidate(errp) {
+					err = newInvalidFormatError(errp)
+				} else if errp != errStop {
+					panic(errp)
+				}
+			}
+		}
+
+		if err == nil {
+			if base != nil {
+				err = base.streamErr()
+			}
+		}
+
+		if err == nil {
+			return
+		}
+
+		if err == io.EOF {
+			err = nil
+			return
+		}
+
+		if isInvalidFormatErrorCandidate(err) {
+			err = newInvalidFormatError(err)
+		}
+	}()
+
 	if opts.R == nil {
 		return fmt.Errorf("no reader provided")
 	}
@@ -97,28 +130,11 @@ func Decode(opts Options) (err error) {
 		byteOrder: binary.BigEndian,
 	}
 
-	base := &baseStreamingDecoder{
+	base = &baseStreamingDecoder{
 		streamReader: br,
 		opts:         opts,
 	}
 
-	defer func() {
-		if r := recover(); r != nil {
-			if r != errStop {
-				panic(r)
-			}
-
-			if err == nil {
-				err = base.streamErr()
-			}
-
-			if err == io.EOF {
-				err = nil
-			}
-
-		}
-	}()
-
 	var dec decoder
 
 	switch opts.ImageFormat {
@@ -134,18 +150,12 @@ func Decode(opts Options) (err error) {
 	}
 
 	err = dec.decode()
-
-	if err == ErrStopWalking {
-		return nil
-	}
-
 	if err != nil {
-		if err == io.EOF {
+		if err == ErrStopWalking {
 			return nil
 		}
-		return err
 	}
-	return nil
+	return
 }
 
 // HandleTagFunc is the function that is called for each tag.
 
@@ -0,0 +1,77 @@
+package imagemeta_test
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/bep/imagemeta"
+)
+
+func FuzzDecodeJPG(f *testing.F) {
+	filenames := []string{"sunrise.jpg", "goexif/geodegrees_as_string.jpg", "metadata_demo_exif_only.jpg", "metadata_demo_iim_and_xmp_only.jpg"}
+	for _, filename := range filenames {
+		f.Add(readTestDataFileAll(f, filename))
+	}
+
+	f.Fuzz(func(t *testing.T, imageBytes []byte) {
+		fuzzDecodeBytes(t, imageBytes, imagemeta.JPEG)
+	})
+}
+
+func FuzzDecodeWebP(f *testing.F) {
+	filenames := []string{"sunrise.webp"}
+
+	for _, filename := range filenames {
+		f.Add(readTestDataFileAll(f, filename))
+	}
+
+	f.Fuzz(func(t *testing.T, imageBytes []byte) {
+		fuzzDecodeBytes(t, imageBytes, imagemeta.WebP)
+	})
+}
+
+func FuzzDecodePNG(f *testing.F) {
+	filenames := []string{"sunrise.png", "metadata-extractor-images/png/issue614.png"}
+
+	for _, filename := range filenames {
+		f.Add(readTestDataFileAll(f, filename))
+	}
+
+	f.Fuzz(func(t *testing.T, imageBytes []byte) {
+		fuzzDecodeBytes(t, imageBytes, imagemeta.PNG)
+	})
+}
+
+func FuzzDecodeTIFF(f *testing.F) {
+	filenames := []string{"sunrise.tif"}
+
+	for _, filename := range filenames {
+		f.Add(readTestDataFileAll(f, filename))
+	}
+
+	f.Fuzz(func(t *testing.T, imageBytes []byte) {
+		fuzzDecodeBytes(t, imageBytes, imagemeta.TIFF)
+	})
+}
+
+func fuzzDecodeBytes(t *testing.T, imageBytes []byte, f imagemeta.ImageFormat) error {
+	r := bytes.NewReader(imageBytes)
+	err := imagemeta.Decode(imagemeta.Options{R: r, ImageFormat: f, Sources: imagemeta.EXIF | imagemeta.IPTC | imagemeta.XMP})
+	if err != nil {
+		if !imagemeta.IsInvalidFormat(err) {
+			t.Fatalf("unknown error in Decode: %v %T", err, err)
+		}
+	}
+	return nil
+}
+
+func readTestDataFileAll(t testing.TB, filename string) []byte {
+	t.Helper()
+	b, err := os.ReadFile(filepath.Join("testdata", filename))
+	if err != nil {
+		t.Fatalf("failed to read file %q: %v", filename, err)
+	}
+	return b
+}
@@ -742,6 +742,9 @@ func withGolden(t testing.TB, sources imagemeta.Source) {
 		if strings.HasPrefix(path, "corrupt") {
 			return nil
 		}
+		if strings.HasPrefix(path, "fuzz") {
+			return nil
+		}
 		if goldenSkip[filepath.ToSlash(path)] {
 			return nil
 		}
 
@@ -24,7 +24,7 @@ var bytesAndReaderPool = &sync.Pool{
 
 func getBytesAndReader(length int) *bytesAndReader {
 	b := bytesAndReaderPool.Get().(*bytesAndReader)
-	if cap(b.b) < length {
+	if length > len(b.b) {
 		b.b = make([]byte, length)
 	}
 	b.b = b.b[:length]
@@ -76,9 +76,27 @@ type streamReader struct {
 	readerOffset int64
 }
 
+var noopCloser closerFunc = func() error {
+	return nil
+}
+
 // bufferedReader reads length bytes from the stream and returns a ReaderCloser.
 // It's important to call Close on the ReaderCloser when done.
 func (e *streamReader) bufferedReader(length int64) (readerCloser, error) {
+	if length == 0 {
+		return struct {
+			io.ReadSeeker
+			io.Closer
+		}{
+			bytes.NewReader(nil),
+			noopCloser,
+		}, nil
+	}
+
+	if length < 0 {
+		return nil, newInvalidFormatErrorFromString("negative length")
+	}
+
 	br := getBytesAndReader(int(length))
 
 	_, err := io.ReadFull(e.r, br.b)
 
@@ -95,7 +95,7 @@ var (
 			b := v.([]byte)
 			s := resolveCodedCharacterSet(b)
 			if s == "" {
-				return UTF8
+				return characterSetUTF8
 			}
 			return s
 		},
@@ -273,7 +273,7 @@ func (e *metaDecoderIPTC) decodeRecord(stringSlices map[iptcField][]string) erro
 	switch recordDef.Format {
 	case "string":
 		v = e.readBytesVolatile(int(recordSize))
-		if e.charset == "" || e.charset == ISO88591 {
+		if e.charset == "" || e.charset == characterSetISO88591 {
 			v, _ = e.iso88591CharsetDecoder.Bytes(v.([]byte))
 		}
 	case "uint32":
@@ -375,8 +375,8 @@ func init() {
 }
 
 const (
-	UTF8     = "UTF-8"
-	ISO88591 = "ISO-8859-1"
+	characterSetUTF8     = "UTF-8"
+	characterSetISO88591 = "ISO-8859-1"
 )
 
 // resolveCodedCharacterSet resolves the coded character set from the IPTC data
@@ -392,19 +392,19 @@ func resolveCodedCharacterSet(b []byte) string {
 	)
 
 	if len(b) > 2 && b[0] == esc && b[1] == percent && b[2] == latinCapitalG {
-		return UTF8
+		return characterSetUTF8
 	}
 
 	if len(b) > 2 && b[0] == esc && b[1] == dot && b[2] == latinCapitalA {
-		return ISO88591
+		return characterSetISO88591
 	}
 
 	if len(b) > 3 && b[0] == esc && (b[1] == dot || b[2] == dot || b[3] == dot) && b[4] == latinCapitalA {
-		return ISO88591
+		return characterSetISO88591
 	}
 
 	if len(b) > 2 && b[0] == esc && b[1] == minus && b[2] == latinCapitalA {
-		return ISO88591
+		return characterSetISO88591
 	}
 
 	return ""
 
@@ -40,7 +40,7 @@ func decodeXMP(r io.Reader, opts Options) error {
 
 	var meta xmpmeta
 	if err := xml.NewDecoder(r).Decode(&meta); err != nil {
-		return fmt.Errorf("decoding XMP: %w", err)
+		return newInvalidFormatError(fmt.Errorf("decoding XMP: %w", err))
 	}
 
 	for _, attr := range meta.RDF.Description.Attrs {
Original file line number	Diff line number	Diff line change
`@@ -742,6 +742,9 @@ func withGolden(t testing.TB, sources imagemeta.Source) {`
`742`	`742`	`if strings.HasPrefix(path, "corrupt") {`
`743`	`743`	`return nil`
`744`	`744`	`}`
	`745`	`+ if strings.HasPrefix(path, "fuzz") {`
	`746`	`+ return nil`
	`747`	`+ }`
`745`	`748`	`if goldenSkip[filepath.ToSlash(path)] {`
`746`	`749`	`return nil`
`747`	`750`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ var (`
`95`	`95`	`b := v.([]byte)`
`96`	`96`	`s := resolveCodedCharacterSet(b)`
`97`	`97`	`if s == "" {`
`98`		`- return UTF8`
	`98`	`+ return characterSetUTF8`
`99`	`99`	`}`
`100`	`100`	`return s`
`101`	`101`	`},`
`@@ -273,7 +273,7 @@ func (e *metaDecoderIPTC) decodeRecord(stringSlices map[iptcField][]string) erro`
`273`	`273`	`switch recordDef.Format {`
`274`	`274`	`case "string":`
`275`	`275`	`v = e.readBytesVolatile(int(recordSize))`
`276`		`- if e.charset == "" \|\| e.charset == ISO88591 {`
	`276`	`+ if e.charset == "" \|\| e.charset == characterSetISO88591 {`
`277`	`277`	`v, _ = e.iso88591CharsetDecoder.Bytes(v.([]byte))`
`278`	`278`	`}`
`279`	`279`	`case "uint32":`
`@@ -375,8 +375,8 @@ func init() {`
`375`	`375`	`}`
`376`	`376`
`377`	`377`	`const (`
`378`		`- UTF8 = "UTF-8"`
`379`		`- ISO88591 = "ISO-8859-1"`
	`378`	`+ characterSetUTF8 = "UTF-8"`
	`379`	`+ characterSetISO88591 = "ISO-8859-1"`
`380`	`380`	`)`
`381`	`381`
`382`	`382`	`// resolveCodedCharacterSet resolves the coded character set from the IPTC data`
`@@ -392,19 +392,19 @@ func resolveCodedCharacterSet(b []byte) string {`
`392`	`392`	`)`
`393`	`393`
`394`	`394`	`if len(b) > 2 && b[0] == esc && b[1] == percent && b[2] == latinCapitalG {`
`395`		`- return UTF8`
	`395`	`+ return characterSetUTF8`
`396`	`396`	`}`
`397`	`397`
`398`	`398`	`if len(b) > 2 && b[0] == esc && b[1] == dot && b[2] == latinCapitalA {`
`399`		`- return ISO88591`
	`399`	`+ return characterSetISO88591`
`400`	`400`	`}`
`401`	`401`
`402`	`402`	`if len(b) > 3 && b[0] == esc && (b[1] == dot \|\| b[2] == dot \|\| b[3] == dot) && b[4] == latinCapitalA {`
`403`		`- return ISO88591`
	`403`	`+ return characterSetISO88591`
`404`	`404`	`}`
`405`	`405`
`406`	`406`	`if len(b) > 2 && b[0] == esc && b[1] == minus && b[2] == latinCapitalA {`
`407`		`- return ISO88591`
	`407`	`+ return characterSetISO88591`
`408`	`408`	`}`
`409`	`409`
`410`	`410`	`return ""`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func decodeXMP(r io.Reader, opts Options) error {`
`40`	`40`
`41`	`41`	`var meta xmpmeta`
`42`	`42`	`if err := xml.NewDecoder(r).Decode(&meta); err != nil {`
`43`		`- return fmt.Errorf("decoding XMP: %w", err)`
	`43`	`+ return newInvalidFormatError(fmt.Errorf("decoding XMP: %w", err))`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`for _, attr := range meta.RDF.Description.Attrs {`