fix undefined behavior: clamp shift in B44 Decompress #832
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
cary-ilm
reviewed
Sep 9, 2020
OpenEXR/IlmImf/ImfB44Compressor.cpp
Outdated
|
|
||
|
|
||
| // | ||
| //TODO unverified fix for undefined behavior |
There was a problem hiding this comment.
The TODO comment is confusing, what do you mean by 'unverified'?
cary-ilm
reviewed
Sep 9, 2020
OpenEXR/IlmImf/ImfB44Compressor.cpp
Outdated
| // prevents undefined behavior in this circumstance (but cast to unsigned short | ||
| // will still overflow) | ||
| // | ||
| unsigned short shift = std::min( 26 , b[ 2] >> 2); |
There was a problem hiding this comment.
Why 26, since the type is unsigned short? Why not clamp to 10 instead, since any more would overflow the 16 bits and produce the same 0 results?
There was a problem hiding this comment.
I suppose that's why I felt the need to say the fix was 'unverified' as wasn't fully sure.
IlmImfTest produces shift values of 11, so 10 is definitely not enough. It may actually need to be 31 to be sure this change won't change the decoding of broken images. shift is used to compute bias, as well as in the following lines.
My understanding is this:
All the << operators cause casts to 32 bit signed integers for those lines. That means all those lines involve 32 bit computation, which is then truncated to 16 bits. I think the implicit cast to signed arithmetic may have been unintentional.
It appears that what happens when a<<b overflows is undefined if a is signed, but defined if a is unsigned: the top bits are lost. However if b is equal to or greater than type's bit size (e.g. larger than 31 if a is 32 bit int) then the behavior is always undefined. Perhaps some 32-bit processors only take the bottom 5 bits of b, so a<<33 gives the same result as a<<1
A more conservative approach would be to clamp shift to 31, and switch all the computation to unsigned operations. This would prevent any undefined behavior. Overflows would still happen but now have well defined behavior.
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
peterhillman
added a commit
to peterhillman/openexr
that referenced
this pull request
Dec 7, 2020
…prevent undefined behavior Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
cary-ilm
added a commit
that referenced
this pull request
Dec 30, 2020
…tests (#875) * ignore unused bits in B44 mode detection Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #832: use unsigned values in shift to prevent undefined behavior Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #818: compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #817: double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #820: suppress sanitizer warnings when writing invalid enums Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #825: Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #826: restrict maximum tile size to INT_MAX byte limit Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #827: lighter weight reading of Luma-only images via RgbaInputFile Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #829: fix buffer overflow check in PIZ decompression Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Use Int64 in dataWindowForTile to prevent integer overflow (#831) * Use Int64 in dataWindowForTile to prevent integer overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * use signed 64 bit instead for dataWindow calculation Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * prevent overflow in hufUncompress if nBits is large (#836) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * add sanity check for reading multipart files with no parts (#840) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * reduce B44 _tmpBufferSize (was allocating two bytes per byte) (#843) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check for valid Huf code lengths (#849) * check for valid Huf code lengths * test non-fast huf decoder in testHuf Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check 1 part files with 'nonimage' bit have type attribute (#860) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * re-order shift/compare in FastHuf to prevent undefined shift overflow warning (#819) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * more elegant exception handling in exrmaketiled (#841) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check EXRAllocAligned succeeded to allocate ScanlineInputFile lineBuffers (#844) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * test channels are DCT compressed before DWA decompression (#845) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Merge ABI-compatible changes from #842 Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com>
cary-ilm
pushed a commit
to cary-ilm/openexr
that referenced
this pull request
May 12, 2021
…demySoftwareFoundation#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
cary-ilm
pushed a commit
to cary-ilm/openexr
that referenced
this pull request
May 12, 2021
…demySoftwareFoundation#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com>
cary-ilm
added a commit
that referenced
this pull request
May 16, 2021
* double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Avoid overflow in calculateNumTiles when size=MAX_INT (#825) * Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Cary Phillips <cary@ilm.com> * Compute level size with 64 bits to avoid overflow Signed-off-by: Cary Phillips <cary@ilm.com> * More efficient handling of filled channels reading tiles with scanline API (#830) * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * fix undefined behavior: ignore unused bits in B44 mode detection (#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Cary Phillips <cary@ilm.com> * Release notes for v2.4.3 Signed-off-by: Cary Phillips <cary@ilm.com> * Bump version for v2.4.3 Signed-off-by: Cary Phillips <cary@ilm.com> * reduce size limit for scanline files; prevent large chunkoffset allocations (#824) * reduce size limit for scanline files; protect against large chunkoffset allocations Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * bugfix for memory limit changes Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * rearrange chunkoffset test to protect bytesperline table too Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * remove extraneous function declaration; tidy comments Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Change v2.4.3 release date to May 17, and clean up urls Signed-off-by: Cary Phillips <cary@ilm.com> Co-authored-by: Peter Hillman <peterh@wetafx.co.nz>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix undefined behavior with overflow as described in #821
This fix at least suppresses the error in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
A better fix may be possible, and it would be good to confirm the overflow only arises with specially crafted input files, and can never occur with images written via the OpenEXR library.
Signed-off-by: Peter Hillman peterh@wetafx.co.nz