Avoid overflow in calculateNumTiles when size=MAX_INT #825
Conversation
Signed-off-by: Cary Phillips <[email protected]>
I think bailing early is sensible, to help protect against any other issues that might be uncovered handling very large files. |
|
size is an int. The resolution of the MIPmap level, The current code oddly disallows the level resolution to be close to intmax, not because it's a real limit, but simply because some values of an intermediate calculation of the expression By declaring L as an int64_t, that will make the temporary wide enough to do the |
|
Ah yes, so you can overflow with an image which is only just under INT_MAX wide, even with plausible sized tiles. Is it correct that the code wouldn't overflow for any mipmap level in any rounding mode if (width of dataWindow)+(tile width) and (height of dataWindow)+(tile height) are both less than INT_MAX-1? That seems like a sane limit to have anyway, since both individually have to be less than INT_MAX. My point was really that these are insane situations anyway, since the practical limit to image dimensions is significantly less than INT_MAX. All these tests and workarounds do is to protect against 'non-legit' EXR files. I suppose switching everything to 64 bit would allow the test and the exception to be removed, so would be more efficient, and might be a better way to go. |
Signed-off-by: Cary Phillips <[email protected]>
|
Good thought, it makes sense to switch to i64 for those reasons. |
…les when size=MAX_INT Signed-off-by: Peter Hillman <[email protected]>
…tests (#875) * ignore unused bits in B44 mode detection Signed-off-by: Peter Hillman <[email protected]> * apply #832: use unsigned values in shift to prevent undefined behavior Signed-off-by: Peter Hillman <[email protected]> * apply #818: compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <[email protected]> * apply #817: double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <[email protected]> * apply #820: suppress sanitizer warnings when writing invalid enums Signed-off-by: Peter Hillman <[email protected]> * apply #825: Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Peter Hillman <[email protected]> * apply #826: restrict maximum tile size to INT_MAX byte limit Signed-off-by: Peter Hillman <[email protected]> * apply #827: lighter weight reading of Luma-only images via RgbaInputFile Signed-off-by: Peter Hillman <[email protected]> * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <[email protected]> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <[email protected]> * apply #829: fix buffer overflow check in PIZ decompression Signed-off-by: Peter Hillman <[email protected]> * Use Int64 in dataWindowForTile to prevent integer overflow (#831) * Use Int64 in dataWindowForTile to prevent integer overflow Signed-off-by: Peter Hillman <[email protected]> * use signed 64 bit instead for dataWindow calculation Signed-off-by: Peter Hillman <[email protected]> Co-authored-by: Cary Phillips <[email protected]> Signed-off-by: Peter Hillman <[email protected]> * prevent overflow in hufUncompress if nBits is large (#836) Signed-off-by: Peter Hillman <[email protected]> * add sanity check for reading multipart files with no parts (#840) Signed-off-by: Peter Hillman <[email protected]> * reduce B44 _tmpBufferSize (was allocating two bytes per byte) (#843) Signed-off-by: Peter Hillman <[email protected]> * check for valid Huf code lengths (#849) * check for valid Huf code lengths * test non-fast huf decoder in testHuf Signed-off-by: Peter Hillman <[email protected]> * check 1 part files with 'nonimage' bit have type attribute (#860) Signed-off-by: Peter Hillman <[email protected]> Co-authored-by: Cary Phillips <[email protected]> Signed-off-by: Peter Hillman <[email protected]> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <[email protected]> * re-order shift/compare in FastHuf to prevent undefined shift overflow warning (#819) Signed-off-by: Peter Hillman <[email protected]> Co-authored-by: Cary Phillips <[email protected]> Signed-off-by: Peter Hillman <[email protected]> * more elegant exception handling in exrmaketiled (#841) Signed-off-by: Peter Hillman <[email protected]> * check EXRAllocAligned succeeded to allocate ScanlineInputFile lineBuffers (#844) Signed-off-by: Peter Hillman <[email protected]> * test channels are DCT compressed before DWA decompression (#845) Signed-off-by: Peter Hillman <[email protected]> * Merge ABI-compatible changes from #842 Signed-off-by: Peter Hillman <[email protected]> Co-authored-by: Cary Phillips <[email protected]>
…eFoundation#825) * Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Cary Phillips <[email protected]> * Compute level size with 64 bits to avoid overflow Signed-off-by: Cary Phillips <[email protected]>
…eFoundation#825) * Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Cary Phillips <[email protected]> * Compute level size with 64 bits to avoid overflow Signed-off-by: Cary Phillips <[email protected]>
* double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * Avoid overflow in calculateNumTiles when size=MAX_INT (#825) * Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Cary Phillips <[email protected]> * Compute level size with 64 bits to avoid overflow Signed-off-by: Cary Phillips <[email protected]> * More efficient handling of filled channels reading tiles with scanline API (#830) * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <[email protected]> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * fix undefined behavior: ignore unused bits in B44 mode detection (#832) Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863) Signed-off-by: Peter Hillman <[email protected]> Co-authored-by: Cary Phillips <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * Release notes for v2.4.3 Signed-off-by: Cary Phillips <[email protected]> * Bump version for v2.4.3 Signed-off-by: Cary Phillips <[email protected]> * reduce size limit for scanline files; prevent large chunkoffset allocations (#824) * reduce size limit for scanline files; protect against large chunkoffset allocations Signed-off-by: Peter Hillman <[email protected]> * bugfix for memory limit changes Signed-off-by: Peter Hillman <[email protected]> * rearrange chunkoffset test to protect bytesperline table too Signed-off-by: Peter Hillman <[email protected]> * remove extraneous function declaration; tidy comments Signed-off-by: Peter Hillman <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * Change v2.4.3 release date to May 17, and clean up urls Signed-off-by: Cary Phillips <[email protected]> Co-authored-by: Peter Hillman <[email protected]>
Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
Signed-off-by: Cary Phillips [email protected]