From bb6f4d218bef94a8f5ca0c1ab919e3cfcd6645ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Antonio=20Zamudio=20Amaya?= Date: Sun, 21 Jun 2026 14:44:47 +0200 Subject: [PATCH] Add advisory for psd: panic via out-of-bounds slice on crafted PSD --- crates/psd/RUSTSEC-0000-0000.md | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 crates/psd/RUSTSEC-0000-0000.md diff --git a/crates/psd/RUSTSEC-0000-0000.md b/crates/psd/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..0dda2a8f7 --- /dev/null +++ b/crates/psd/RUSTSEC-0000-0000.md @@ -0,0 +1,40 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "psd" +date = "2026-06-21" +categories = ["denial-of-service"] +keywords = ["dos", "panic", "out-of-bounds", "untrusted-input", "psd"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +references = ["https://github.com/chinedufn/psd"] + +[versions] +patched = [] +``` + +# Panic via out-of-bounds slice in `psd` when parsing a crafted PSD file + +`Psd::from_bytes` slices the image-data section using a length taken from the file header without +validating it against the actual remaining buffer length. A 54-byte crafted PSD triggers an +out-of-bounds slice and panics in `src/sections/mod.rs` +(`range end index 18 out of range for slice of length 16`). + +A caller that parses untrusted PSD input and does not wrap the call in `catch_unwind` will have +the panicking thread torn down (and, in a single-threaded program or under `panic = "abort"`, +the whole process), so this is a denial of service on untrusted input. + +Re-confirmed on `psd` 0.3.5 (latest at time of writing), default configuration. + +## Proof of concept + +```rust +fn main() { + let bytes = std::fs::read("poc.psd").unwrap(); // 54-byte crafted PSD + let _ = psd::Psd::from_bytes(&bytes); // panic: range end index out of range +} +``` + +## Suggested fix + +Bounds-check the declared section length against the remaining buffer before slicing, and return +`Err(PsdError)` instead of indexing out of range.