Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix overflows in avifRGBImageAllocatePixels() #2354

Merged
merged 1 commit into from
Aug 1, 2024
Merged

Fix overflows in avifRGBImageAllocatePixels() #2354

merged 1 commit into from
Aug 1, 2024

Conversation

wantehchang
Copy link
Collaborator

Calculate rowBytes in uint32_t. Only the allocation size needs to be size_t.

Also make sure it is safe to cast various rowBytes fields to ptrdiff_t. We need to do this when subtracting rowBytes from a pointer to go back one row.

Part of the fix to #2271.

@wantehchang
Fix overflows in avifRGBImageAllocatePixels()
90295c3 
Calculate rowBytes in uint32_t. Only the allocation size needs to be
size_t.

Also make sure it is safe to cast various rowBytes fields to ptrdiff_t.
We need to do this when subtracting rowBytes from a pointer to go back
one row.

Part of the fix to AOMediaCodec#2271.
@wantehchang wantehchang merged commit 6b0a47b into AOMediaCodec:main Aug 1, 2024
14 checks passed
@wantehchang wantehchang deleted the fix-allocate-overflows branch August 1, 2024 16:07
wantehchang
wantehchang commented Aug 1, 2024
View reviewed changes
src/avif.c
return AVIF_RESULT_INVALID_ARGUMENT;
}
const size_t fullSize = fullRowBytes * image->height;
#endif
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jzern I added this check yesterday (because I will need to cast rowBytes (what libaom calls stride) to ptrdiff_t when I fix some overflows in src/reformat.c. But I am now wondering if this check is necessary. If we have allocated the plane buffer successfully, it implies that rowBytes is <= SIZE_MAX. So in a reasonable C implentation, this should also imply that rowBytes is <= PTRDIFF_MAX. Do you agree?

cppreference.com describes this unlikely case:

If an array is so large (greater than PTRDIFF_MAX elements, but equal to or less than SIZE_MAX bytes), that the difference between two pointers may not be representable as ptrdiff_t, the result of subtracting two such pointers is undefined.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have another idea: we can avoid this unlikely case by changing the check below to use PTRDIFF_MAX:

    if (image->height > PTRDIFF_MAX / fullRowBytes) {
        return AVIF_RESULT_INVALID_ARGUMENT;
    }

This seems to match the following paragraph in cppreference.com:

For char arrays shorter than PTRDIFF_MAX, ptrdiff_t acts as the signed counterpart of size_t: it can store the size of the array of any type and is, on most platforms, synonymous with intptr_t).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using PTRDIFF_MAX sounds reasonable.

wantehchang added a commit to wantehchang/libavif that referenced this pull request Aug 1, 2024
@wantehchang
Require allocation size be <= PTRDIFF_MAX
da4b45d 
This makese it safe to cast rowBytes to ptrdiff_t.

Part of the fix to AOMediaCodec#2354.
@wantehchang wantehchang mentioned this pull request Aug 1, 2024
Merged
wantehchang added a commit that referenced this pull request Aug 2, 2024
@wantehchang
Require allocation size be <= PTRDIFF_MAX
9ea9a94 
This makese it safe to cast rowBytes to ptrdiff_t.

Part of the fix to #2354.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzern jzern jzern left review comments

@maryla-uc maryla-uc maryla-uc approved these changes

@y-guyon y-guyon Awaiting requested review from y-guyon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wantehchang @jzern @maryla-uc