-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix undefined behavior: clamp shift in B44 Decompress #832
fix undefined behavior: clamp shift in B44 Decompress #832
Conversation
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
OpenEXR/IlmImf/ImfB44Compressor.cpp
Outdated
|
||
|
||
// | ||
//TODO unverified fix for undefined behavior |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The TODO comment is confusing, what do you mean by 'unverified'?
OpenEXR/IlmImf/ImfB44Compressor.cpp
Outdated
// prevents undefined behavior in this circumstance (but cast to unsigned short | ||
// will still overflow) | ||
// | ||
unsigned short shift = std::min( 26 , b[ 2] >> 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why 26, since the type is unsigned short? Why not clamp to 10 instead, since any more would overflow the 16 bits and produce the same 0 results?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose that's why I felt the need to say the fix was 'unverified' as wasn't fully sure.
IlmImfTest produces shift values of 11, so 10 is definitely not enough. It may actually need to be 31 to be sure this change won't change the decoding of broken images. shift
is used to compute bias
, as well as in the following lines.
My understanding is this:
All the << operators cause casts to 32 bit signed integers for those lines. That means all those lines involve 32 bit computation, which is then truncated to 16 bits. I think the implicit cast to signed arithmetic may have been unintentional.
It appears that what happens when a<<b
overflows is undefined if a is signed, but defined if a
is unsigned: the top bits are lost. However if b
is equal to or greater than type's bit size (e.g. larger than 31 if a
is 32 bit int) then the behavior is always undefined. Perhaps some 32-bit processors only take the bottom 5 bits of b
, so a<<33
gives the same result as a<<1
A more conservative approach would be to clamp shift to 31, and switch all the computation to unsigned operations. This would prevent any undefined behavior. Overflows would still happen but now have well defined behavior.
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
…prevent undefined behavior Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
…tests (#875) * ignore unused bits in B44 mode detection Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #832: use unsigned values in shift to prevent undefined behavior Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #818: compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #817: double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #820: suppress sanitizer warnings when writing invalid enums Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #825: Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #826: restrict maximum tile size to INT_MAX byte limit Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #827: lighter weight reading of Luma-only images via RgbaInputFile Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * apply #829: fix buffer overflow check in PIZ decompression Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Use Int64 in dataWindowForTile to prevent integer overflow (#831) * Use Int64 in dataWindowForTile to prevent integer overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * use signed 64 bit instead for dataWindow calculation Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * prevent overflow in hufUncompress if nBits is large (#836) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * add sanity check for reading multipart files with no parts (#840) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * reduce B44 _tmpBufferSize (was allocating two bytes per byte) (#843) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check for valid Huf code lengths (#849) * check for valid Huf code lengths * test non-fast huf decoder in testHuf Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check 1 part files with 'nonimage' bit have type attribute (#860) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * re-order shift/compare in FastHuf to prevent undefined shift overflow warning (#819) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * more elegant exception handling in exrmaketiled (#841) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * check EXRAllocAligned succeeded to allocate ScanlineInputFile lineBuffers (#844) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * test channels are DCT compressed before DWA decompression (#845) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * Merge ABI-compatible changes from #842 Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com>
…demySoftwareFoundation#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz>
…demySoftwareFoundation#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com>
* double-check unpackedBuffer created in DWA uncompress Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * compute Huf codelengths using 64 bit to prevent shift overflow Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Avoid overflow in calculateNumTiles when size=MAX_INT (#825) * Avoid overflow in calculateNumTiles when size=MAX_INT Signed-off-by: Cary Phillips <cary@ilm.com> * Compute level size with 64 bits to avoid overflow Signed-off-by: Cary Phillips <cary@ilm.com> * More efficient handling of filled channels reading tiles with scanline API (#830) * refactor channel filling in InputFile API with tiled source Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * handle edge-case of empty framebuffer Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * fix undefined behavior: ignore unused bits in B44 mode detection (#832) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Fix overflow computing deeptile sample table size (#861) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * sanity check ScanlineInput bytesPerLine instead of lineOffset size (#863) Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Co-authored-by: Cary Phillips <cary@ilm.com> Signed-off-by: Cary Phillips <cary@ilm.com> * Release notes for v2.4.3 Signed-off-by: Cary Phillips <cary@ilm.com> * Bump version for v2.4.3 Signed-off-by: Cary Phillips <cary@ilm.com> * reduce size limit for scanline files; prevent large chunkoffset allocations (#824) * reduce size limit for scanline files; protect against large chunkoffset allocations Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * bugfix for memory limit changes Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * rearrange chunkoffset test to protect bytesperline table too Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> * remove extraneous function declaration; tidy comments Signed-off-by: Peter Hillman <peterh@wetafx.co.nz> Signed-off-by: Cary Phillips <cary@ilm.com> * Change v2.4.3 release date to May 17, and clean up urls Signed-off-by: Cary Phillips <cary@ilm.com> Co-authored-by: Peter Hillman <peterh@wetafx.co.nz>
Fix undefined behavior with overflow as described in #821
This fix at least suppresses the error in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
A better fix may be possible, and it would be good to confirm the overflow only arises with specially crafted input files, and can never occur with images written via the OpenEXR library.
Signed-off-by: Peter Hillman peterh@wetafx.co.nz