Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes a crash and an infinite loop in stb_image that could occur with specially constructed PGM and HDR files #1223

Merged
merged 1 commit into from
Jan 29, 2023
Merged

Fixes a crash and an infinite loop in stb_image that could occur with specially constructed PGM and HDR files #1223

merged 1 commit into from
Jan 29, 2023

Conversation

NBickford-NV
Copy link
Contributor

@NBickford-NV NBickford-NV commented Oct 7, 2021
edited
Loading

Fixes two availability issues in stb_image that could occur with specially
constructed HDR and PGM files. Please see issues #1224 and #1225 for full descriptions.

HDR: In certain conditions, the RLE decoder can get stuck in the decoding loop
at the end of a stream: stbi__get8() always returns 0 when at the end of a
stream, which is interpreted as a count and results in an infinite loop.
I believe the solution is to treat a run of 0 as invalid, following the
RGBE_ReadPixels_RLE() function in Bruce Walter's
https://www.graphics.cornell.edu/~bjw/rgbe/rgbe.c.

PGM: Loading large monochrome 16-bit PGM files would cause an access violation
due to reading out of bounds when comverting from 16-bit to 8-bit. In addition,
when loading 16-bit PGM files, stbi__pnm_load() would call
stbi__convert_format() instead of stbi__convert_format16() to convert from
monochrome to the required number of channels, so the buffer would be
interpreted as the wrong type. This pull request also adds an error nessage for
when the stbi__getn() call fails.

Thanks!

This was referenced Oct 7, 2021
Closed
Closed
@NBickford-NV NBickford-NV mentioned this pull request Oct 15, 2021
Closed
musicinmybrain added a commit to musicinmybrain/zxing-cpp that referenced this pull request Dec 8, 2021
@musicinmybrain
Apply stb PR#1223 to stb_image
5ca6312 
Fixes a crash and an infinite loop in stb_image that could occur with
specially constructed PGM and HDR files

nothings/stb#1223

This is a candidate fix for:

  https://nvd.nist.gov/vuln/detail/CVE-2021-42715

  In stb_image's HDR reader, loading a specially constructed invalid HDR
  file can result in an infinite loop within the RLE decoder
  nothings/stb#1224

Additionally, this is a candidate fix for:

  https://nvd.nist.gov/vuln/detail/CVE-2021-42716

  stbi__pnm_load heap-buffer-overflow bug
  nothings/stb#1166

  In stb_image's PNM reader, loading a specially constructed valid
  16-bit PGM file with 4 channels can cause a crash due to an
  out-of-bounds read
  nothings/stb#1225
@musicinmybrain musicinmybrain mentioned this pull request Dec 9, 2021
Merged
@NBickford-NV
Copy link
Contributor Author

Following up on this - is there anything I can change to help merge this in? Thanks!

@nothings
Copy link
Owner

nothings commented Jan 7, 2022
edited
Loading

stb repository is just slow for me to update

@NBickford-NV NBickford-NV mentioned this pull request Feb 23, 2022
Merged
@NBickford-NV
Copy link
Contributor Author

Quick note from the survey of the first 10 ossfuzz issues I did: I think this pull request might resolve ossfuzz issues https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37628&q=proj%3Dstb&can=2 (this seems to be the infinite HDR reader error) and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38394&q=proj%3Dstb&can=2 (I think this is due to the PGM issue). I'm unable to reproduce ossfuzz's crashes with these fixes on Windows with Address Sanitizer enabled.

slouken pushed a commit to libsdl-org/SDL_image that referenced this pull request May 28, 2022
@sezero @slouken
stb_image.h: imported three fuzz fixes by Neil Bickford from mainstream
04562ed 
Mainstream pull requests:
nothings/stb#1230
nothings/stb#1223
nothings/stb#1297

Related mainstream issue tickets:
nothings/stb#1224
nothings/stb#1225
nothings/stb#1289
nothings/stb#1291
nothings/stb#1292
nothings/stb#1293
@NBickford-NV NBickford-NV force-pushed the neilbickford/image_hdr_pgm_fixes branch from 8075c34 to 2a02ff7 Compare November 29, 2022 08:44
@NBickford-NV NBickford-NV mentioned this pull request Dec 10, 2022
Open
@rygorous
Copy link
Collaborator

Merged into dev branch, will be in the next release.

@rygorous rygorous added the 5 merged-dev Merged into development branch label Jan 22, 2023
@NBickford-NV
Copy link
Contributor Author

Thanks so much ryg!

@nothings nothings merged commit e5da6ac into nothings:master Jan 29, 2023
@NBickford-NV NBickford-NV deleted the neilbickford/image_hdr_pgm_fixes branch January 31, 2023 03:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
5 merged-dev Merged into development branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NBickford-NV @nothings @rygorous