Integer overflow with cimg_max_buf_size definition on Windows x86

GreycLab / CImg

The CImg Library is a small and open-source C++ toolkit for image processing

http://cimg.eu

Other

1.48k stars 282 forks source link

Integer overflow with cimg_max_buf_size definition on Windows x86 #351

Closed 0xC0000054 closed 2 years ago

0xC0000054 commented 2 years ago

cimg_max_buf_size is unconditionally defined as 16*1024*1024*1024, this will overflow the range of a cimg_ulong on Windows x86. On Windows x86 cimg_ulong is defined as an unsigned int, with a a maximum value of 0xffffffff (4 GB - 1).

#ifndef cimg_max_buf_size
#define cimg_max_buf_size ((cimg_ulong)16*1024*1024*1024)
#endif

The cimg_max_buf_size value wraps around to 0, which causes G'MIC-Qt to crash with an unhanded exception thrown from safe_size.

According to a report I received on the Paint.NET forum, this issue has been occurring with the 32-bit G'MIC-Qt builds since version 3.1.0.

dtschump commented 2 years ago

Thanks for reporting. A workaround is to define cimg_max_buf_size to a lower value for 32bits architectures with -Dcimg_max_buf_size. Having it auto-detected in CImg.h would be better though.

dtschump commented 2 years ago

Maybe this https://github.com/dtschump/CImg/commit/d8bb494d6cf829d6b9c73d61a24cbba6075d50ea could solve the problem ?

0xC0000054 commented 2 years ago

That would still overflow, 0xffffffff is (4*1024*1024*1024) - 1. I would define it as either 3*1024*1024*1024 or 2*1024*1024*1024.

I will update my build scripts to define cimg_max_buf_size as 3*1024*1024*1024. On Windows the user mode code is limited to 2GB of address space, so you will run out of memory before hitting that limit.

dtschump commented 2 years ago

Yes, I've noticed that afterwards :) https://github.com/dtschump/CImg/commit/21ba6b4dbeb74bda1bdd2a5b0983e4337cb897d3

0xC0000054 commented 2 years ago

Looks good. Closing this issue.