Skip to content

apps: fix integer-overflow and OOB write issues in image loaders #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kraszkow merged 1 commit into from
Nov 25, 2025
Merged

apps: fix integer-overflow and OOB write issues in image loaders #280

kraszkow merged 1 commit into from
Nov 25, 2025

Conversation

@kraszkow
Copy link
Contributor

@kraszkow kraszkow commented Nov 21, 2025

This patch hardens ImageBuffer and the PFM loader against malformed or malicious inputs:

  • Switch width/height/channels from int to size_t to avoid signed overflow.
  • Add maxDim guard (64K) and reject images whose total pixel count exceeds int limits to prevent integer multiplication overflow.
  • Validate pixel reads during PFM parsing and fail early on read errors.
  • Use overflow-safe widthheightC checks before allocating the buffer.
  • Add static_assert ensuring size_t is 64-bit on supported platforms.

These changes prevent tiny allocations followed by large writes caused by untrusted PFM headers (e.g., malicious W/H/C), removing the possibility of heap-based out-of-bounds writes.

@kraszkow kraszkow requested review from atafra and Copilot November 21, 2025 17:02
Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens image loading code against malicious or malformed inputs by addressing integer overflow and out-of-bounds write vulnerabilities. The changes focus on preventing heap-based exploits that could occur when processing untrusted image files, particularly PFM format files.

Key changes:

  • Switches dimension and channel types from int to size_t to prevent signed integer overflow
  • Adds validation to reject excessively large images (maxDim=64K) and ensures total pixel counts don't exceed int limits
  • Improves PFM loader error handling with early validation of pixel read operations

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
common/platform.h Adds compile-time assertion ensuring size_t is 64-bit on all supported platforms
apps/utils/image_io.cpp Changes PFM loader to use size_t for dimensions/channels and adds per-pixel read validation
apps/utils/image_buffer.h Updates ImageBuffer interface to use size_t for dimensions and adds maxDim constant
apps/utils/image_buffer.cpp Implements validation checks to prevent overflow during buffer allocation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI mentioned this pull request Nov 21, 2025
Closed
Copy link

Copilot AI commented Nov 21, 2025

@kraszkow I've opened a new pull request, #281, to work on those changes. Once the pull request is ready, I'll request review from you.

Copy link

Copilot AI commented Nov 21, 2025

@kraszkow I've opened a new pull request, #282, to work on those changes. Once the pull request is ready, I'll request review from you.

This was referenced Nov 21, 2025
Closed
Closed
Copy link

Copilot AI commented Nov 25, 2025

@kraszkow I've opened a new pull request, #283, to work on those changes. Once the pull request is ready, I'll request review from you.

atafra
atafra requested changes Nov 25, 2025
View reviewed changes
Copy link
Collaborator

@atafra atafra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just a few more minor things:

  • Please update commit message to: "apps: fix integer-overflow..."
  • Please update changelog, without "apps:" prefix but mentioning that only oidnDenoise is affected.

@kraszkow
apps: fix integer-overflow and OOB write issues in image loaders
33fd2e1 
This patch hardens ImageBuffer and the PFM loader against malformed or
malicious inputs:

- Switch width/height/channels from int to size_t to avoid signed overflow.
- Add maxDim guard (64K) and reject images whose total pixel count exceeds
  int limits to prevent integer multiplication overflow.
- Validate pixel reads during PFM parsing and fail early on read errors.
- Use overflow-safe width*height*C checks before allocating the buffer.
- Add static_assert ensuring size_t is 64-bit on supported platforms.

These changes prevent tiny allocations followed by large writes caused by
untrusted PFM headers (e.g., malicious W/H/C), removing the possibility of
heap-based out-of-bounds writes.
@kraszkow kraszkow changed the title Fix integer-overflow and OOB write issues in image loaders apps: fix integer-overflow and OOB write issues in image loaders Nov 25, 2025
atafra
atafra approved these changes Nov 25, 2025
View reviewed changes
Copy link
Collaborator

@atafra atafra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ready to merge!

@kraszkow kraszkow merged commit 88b6cbd into devel Nov 25, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@atafra atafra atafra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kraszkow @atafra