Commit a764742
Fix signed integer overflow in
`numBlocksX` and `numBlocksY` are declared as `int`. Two pointer-offset
expressions in `LossyDctDecoder_execute()` multiplied them as signed
32-bit integers before using the result as a pointer offset:
rowBlock[comp] = rowBlock[comp - 1] + numBlocksX * 64;
currDcComp[comp] = currDcComp[comp - 1] + numBlocksX * numBlocksY;
`dataWindow.max.x` is a signed 32-bit value in the EXR file format, so
`numBlocksX` can reach `(INT32_MAX + 7) / 8 = 268,435,456`. At that
point `numBlocksX * 64 = 17,179,869,184` overflows `int32`, and
`numBlocksX * numBlocksY` overflows even sooner. The wraparound
produces a small or negative pointer offset, causing `rowBlock[comp]`
and `currDcComp[comp]` to point into already-used or pre-buffer memory
rather than the intended component stride.
Fix: cast `numBlocksX` to `size_t` before multiplying so the
arithmetic is performed in pointer-sized unsigned arithmetic:
rowBlock[comp] = rowBlock[comp - 1] + (size_t) numBlocksX * 64;
currDcComp[comp] = currDcComp[comp - 1] + (size_t) numBlocksX * numBlocksY;
This is consistent with the allocation on the line above, which already
uses `(size_t) numComp * (size_t) numBlocksX * 64 * sizeof(uint16_t)`,
and with the packed-DC count check, which uses explicit `uint64_t` casts.
Made-with: Cursor
Signed-off-by: Cary Phillips <cary@ilm.com>LossyDctDecoder_execute() pointer arithmetic (#2329)1 parent d578381 commit a764742
1 file changed
Lines changed: 2 additions & 2 deletions
Lines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
265 | 265 | | |
266 | 266 | | |
267 | 267 | | |
268 | | - | |
| 268 | + | |
269 | 269 | | |
270 | 270 | | |
271 | 271 | | |
| |||
275 | 275 | | |
276 | 276 | | |
277 | 277 | | |
278 | | - | |
| 278 | + | |
279 | 279 | | |
280 | 280 | | |
281 | 281 | | |
| |||
0 commit comments