Commit f5beec2
authored
Security: fix signed integer overflow in
In the `EXR_PIXEL_FLOAT` branch of `undo_pxr24_impl()`, the expressions
(uint64_t)(w * 3)
compute the signed 32-bit product `w * 3` before the cast to `uint64_t`.
When `w` is large this is undefined behavior under the C standard; on
two's-complement builds without sanitizers the result wraps to a small
positive value, which can cause the bounds check
if (nDec + (uint64_t)(w * 3) > outSize)
to pass incorrectly. If the check is bypassed the decode loop proceeds
to write `4*w` bytes through `dout`, potentially far beyond the allocated
output buffer.
Fix: cast `w` to `uint64_t` before multiplying so that both the bounds
check and the counter update are performed entirely in 64-bit unsigned
arithmetic:
(uint64_t)w * 3 (cast before multiply, not after)
The `EXR_PIXEL_UINT` and `EXR_PIXEL_HALF` decode branches are unaffected:
they reuse the pre-computed `nBytes` variable, which is already formed as
`(uint64_t)(w) * (uint64_t)(bytes_per_element)`.
Also fix the symmetric issue in `apply_pxr24_impl()` (the encoder):
lastIn += w * 4
advances a pointer by a signed 32-bit product; corrected to
lastIn += (uint64_t)w * 4
Made-with: Cursor
Signed-off-by: Cary Phillips <cary@ilm.com>undo_pxr24_impl() (PXR24 decoder) (#2323)1 parent 2c19a5a commit f5beec2
1 file changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
182 | 182 | | |
183 | 183 | | |
184 | 184 | | |
185 | | - | |
| 185 | + | |
186 | 186 | | |
187 | 187 | | |
188 | 188 | | |
| |||
374 | 374 | | |
375 | 375 | | |
376 | 376 | | |
377 | | - | |
| 377 | + | |
378 | 378 | | |
379 | 379 | | |
380 | 380 | | |
| |||
387 | 387 | | |
388 | 388 | | |
389 | 389 | | |
390 | | - | |
| 390 | + | |
391 | 391 | | |
392 | 392 | | |
393 | 393 | | |
| |||
0 commit comments