ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rdbmp.c/rdppm.c: Fix more innocuous UBSan errors

Browse Source 
- rdbmp.c: Because of 8fb37b8171,
  bfOffBits, biClrUsed, and headerSize were made into unsigned ints.
  Thus, if bPad would eventually be negative due to a malformed header,
  UBSan complained about unsigned math being used in the intermediate
  computations.  It was unnecessary to make those variables unsigned,
  since they are only meant to hold small values, so this commit makes
  them signed again.  The UBSan error was innocuous, because it is
  effectively (if not officially) the case that
  (int)((unsigned int)a - (unsigned int)b) == (int)a - (int)b.

- rdbmp.c: If (biWidth * source->bits_per_pixel / 8) would overflow an
  unsigned int, then UBSan complained at the point at which row_width
  was set in start_input_bmp(), even though the overflow would have been
  detected later in the function.  This commit adds overflow checks
  prior to setting row_width.

- rdppm.c: read_pbm_integer() now bounds-checks the intermediate
  value computations in order to catch integer overflow caused by a
  malformed text PPM.  It's possible, though extremely unlikely, that
  the intermediate value computations could have wrapped around to a
  value smaller than maxval, but the worst case is that this would have
  generated a bogus pixel in the uncompressed image rather than throwing
  an error.
This commit is contained in:
DRC
2021-04-09 17:36:41 -05:00
parent 4ede2ef523
commit dd830b3ffe
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
rdbmp.c
View File

@@ -424,14 +424,14 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
(((unsigned int)UCH(array[offset + 2])) << 16) + \
(((unsigned int)UCH(array[offset + 3])) << 24))
unsigned int bfOffBits;
unsigned int headerSize;
int bfOffBits;
int headerSize;
int biWidth;
int biHeight;
unsigned short biPlanes;
unsigned int biCompression;
int biXPelsPerMeter, biYPelsPerMeter;
unsigned int biClrUsed = 0;
int biClrUsed = 0;
int mapentrysize = 0; /* 0 indicates no colormap */
int bPad;
JDIMENSION row_width = 0;
@@ -575,6 +575,8 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->input_components = 4;
else
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
row_width = (JDIMENSION)(biWidth * 3);
break;
case 32:
@@ -586,6 +588,8 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
cinfo->input_components = 4;
else
ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
if ((unsigned long long)biWidth * 4ULL > 0xFFFFFFFFULL)
ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
row_width = (JDIMENSION)(biWidth * 4);
break;
default:

3
rdppm.c
View File

@@ -112,10 +112,9 @@ read_pbm_integer(j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
while ((ch = pbm_getc(infile)) >= '0' && ch <= '9') {
val *= 10;
val += ch - '0';
}
if (val > maxval)
ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
}
return val;
}