rdbmp.c/rdppm.c: Fix more innocuous UBSan errors
- rdbmp.c: Because of 8fb37b8171,
bfOffBits, biClrUsed, and headerSize were made into unsigned ints.
Thus, if bPad would eventually be negative due to a malformed header,
UBSan complained about unsigned math being used in the intermediate
computations. It was unnecessary to make those variables unsigned,
since they are only meant to hold small values, so this commit makes
them signed again. The UBSan error was innocuous, because it is
effectively (if not officially) the case that
(int)((unsigned int)a - (unsigned int)b) == (int)a - (int)b.
- rdbmp.c: If (biWidth * source->bits_per_pixel / 8) would overflow an
unsigned int, then UBSan complained at the point at which row_width
was set in start_input_bmp(), even though the overflow would have been
detected later in the function. This commit adds overflow checks
prior to setting row_width.
- rdppm.c: read_pbm_integer() now bounds-checks the intermediate
value computations in order to catch integer overflow caused by a
malformed text PPM. It's possible, though extremely unlikely, that
the intermediate value computations could have wrapped around to a
value smaller than maxval, but the worst case is that this would have
generated a bogus pixel in the uncompressed image rather than throwing
an error.
This commit is contained in:
DRC
10
rdbmp.c
10
rdbmp.c
@@ -424,14 +424,14 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
|||||||
(((unsigned int)UCH(array[offset + 2])) << 16) + \
|
(((unsigned int)UCH(array[offset + 2])) << 16) + \
|
||||||
(((unsigned int)UCH(array[offset + 3])) << 24))
|
(((unsigned int)UCH(array[offset + 3])) << 24))
|
||||||
|
|
||||||
unsigned int bfOffBits;
|
int bfOffBits;
|
||||||
unsigned int headerSize;
|
int headerSize;
|
||||||
int biWidth;
|
int biWidth;
|
||||||
int biHeight;
|
int biHeight;
|
||||||
unsigned short biPlanes;
|
unsigned short biPlanes;
|
||||||
unsigned int biCompression;
|
unsigned int biCompression;
|
||||||
int biXPelsPerMeter, biYPelsPerMeter;
|
int biXPelsPerMeter, biYPelsPerMeter;
|
||||||
unsigned int biClrUsed = 0;
|
int biClrUsed = 0;
|
||||||
int mapentrysize = 0; /* 0 indicates no colormap */
|
int mapentrysize = 0; /* 0 indicates no colormap */
|
||||||
int bPad;
|
int bPad;
|
||||||
JDIMENSION row_width = 0;
|
JDIMENSION row_width = 0;
|
||||||
@@ -575,6 +575,8 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
|||||||
cinfo->input_components = 4;
|
cinfo->input_components = 4;
|
||||||
else
|
else
|
||||||
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
||||||
|
if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
|
||||||
|
ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
||||||
row_width = (JDIMENSION)(biWidth * 3);
|
row_width = (JDIMENSION)(biWidth * 3);
|
||||||
break;
|
break;
|
||||||
case 32:
|
case 32:
|
||||||
@@ -586,6 +588,8 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
|||||||
cinfo->input_components = 4;
|
cinfo->input_components = 4;
|
||||||
else
|
else
|
||||||
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
|
||||||
|
if ((unsigned long long)biWidth * 4ULL > 0xFFFFFFFFULL)
|
||||||
|
ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
||||||
row_width = (JDIMENSION)(biWidth * 4);
|
row_width = (JDIMENSION)(biWidth * 4);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|||||||
5
rdppm.c
5
rdppm.c
@@ -112,11 +112,10 @@ read_pbm_integer(j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
|
|||||||
while ((ch = pbm_getc(infile)) >= '0' && ch <= '9') {
|
while ((ch = pbm_getc(infile)) >= '0' && ch <= '9') {
|
||||||
val *= 10;
|
val *= 10;
|
||||||
val += ch - '0';
|
val += ch - '0';
|
||||||
|
if (val > maxval)
|
||||||
|
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (val > maxval)
|
|
||||||
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
|
|
||||||
|
|
||||||
return val;
|
return val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user