Commit f5f7f32
Security: fix signed integer overflow in
In the `EXR_PIXEL_FLOAT` branch of `undo_pxr24_impl()`, the expressions
(uint64_t)(w * 3)
compute the signed 32-bit product `w * 3` before the cast to `uint64_t`.
When `w` is large this is undefined behavior under the C standard; on
two's-complement builds without sanitizers the result wraps to a small
positive value, which can cause the bounds check
if (nDec + (uint64_t)(w * 3) > outSize)
to pass incorrectly. If the check is bypassed the decode loop proceeds
to write `4*w` bytes through `dout`, potentially far beyond the allocated
output buffer.
Fix: cast `w` to `uint64_t` before multiplying so that both the bounds
check and the counter update are performed entirely in 64-bit unsigned
arithmetic:
(uint64_t)w * 3 (cast before multiply, not after)
The `EXR_PIXEL_UINT` and `EXR_PIXEL_HALF` decode branches are unaffected:
they reuse the pre-computed `nBytes` variable, which is already formed as
`(uint64_t)(w) * (uint64_t)(bytes_per_element)`.
Also fix the symmetric issue in `apply_pxr24_impl()` (the encoder):
lastIn += w * 4
advances a pointer by a signed 32-bit product; corrected to
lastIn += (uint64_t)w * 4
Made-with: Cursor
Signed-off-by: Cary Phillips <cary@ilm.com>undo_pxr24_impl() (PXR24 decoder) (PixarAnimationStudios#2323)1 parent 0512b6c commit f5f7f32
1 file changed
Lines changed: 3 additions & 3 deletions
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
182 | 182 | | |
183 | 183 | | |
184 | 184 | | |
185 | | - | |
| 185 | + | |
186 | 186 | | |
187 | 187 | | |
188 | 188 | | |
| |||
371 | 371 | | |
372 | 372 | | |
373 | 373 | | |
374 | | - | |
| 374 | + | |
375 | 375 | | |
376 | 376 | | |
377 | 377 | | |
| |||
384 | 384 | | |
385 | 385 | | |
386 | 386 | | |
387 | | - | |
| 387 | + | |
388 | 388 | | |
389 | 389 | | |
390 | 390 | | |
| |||
0 commit comments