search

mm2 / Little-CMS

A free, open source, CMM engine. It provides fast transforms between ICC profiles.
https://www.littlecms.com
MIT License
572 stars 177 forks source link

cmsopt.c:1544:63: runtime error: signed integer overflow: -227861702 * 139 cannot be represented in type 'int' #307

Closed boxerab closed 2 years ago

boxerab commented 2 years ago

Hello @mm2 ,

My JPEG 2000 codec uses Little-CMS for colour management. My project is part of oss-fuzz, and I have a fuzzer report for the following file containing an ICC profile:

clusterfuzz-testcase-minimized-grk_decompress_fuzzer-6443744562380800.zip

The error is:

cmsopt.c:1544:63: runtime error: signed integer overflow: -227861702 * 139 cannot be represented in type 'int'
--
  | #0 0x713446 in MatShaperEval16 grok/thirdparty/liblcms2/src/cmsopt.c:1544:63
  | #1 0x6dbbce in PrecalculatedXFORM grok/thirdparty/liblcms2/src/cmsxform.c:428:13
  | #2 0x6d8461 in cmsDoTransform grok/thirdparty/liblcms2/src/cmsxform.c:206:5

cmsopt.c:1544:63: runtime error: signed integer overflow: -227861702 * 139 cannot be represented in type 'int'
    #0 0x713446 in MatShaperEval16 [grok/thirdparty/liblcms2/src/cmsopt.c:1544](https://github.com/GrokImageCompression/grok/blob/3dd8658bad541c6b516a78dc5175323019429483/thirdparty/liblcms2/src/cmsopt.c#L1544):63
    #1 0x6dbbce in PrecalculatedXFORM [grok/thirdparty/liblcms2/src/cmsxform.c:428](https://github.com/GrokImageCompression/grok/blob/3dd8658bad541c6b516a78dc5175323019429483/thirdparty/liblcms2/src/cmsxform.c#L428):13
    #2 0x6d8461 in cmsDoTransform [grok/thirdparty/liblcms2/src/cmsxform.c:206](https://github.com/GrokImageCompression/grok/blob/3dd8658bad541c6b516a78dc5175323019429483/thirdparty/liblcms2/src/cmsxform.c#L206):5

The ICC profile appears to be corrupt. Is there a way of validating the profile and avoiding this runtime error ? If you would like, I can extract the ICC profile and send it over.

Thanks very much, Aaron

boxerab commented 2 years ago

by the way, I also found a small typo in the MatShaperEval16 comments :

// A fast matrix-shaper evaluator for 8 bits. This is a bit ticky since I'm using 1.14 signed fixed point

mm2 commented 2 years ago

Thanks for reporting.

It is harmless, the profile overflows and the code has a protection against out of bounds in next lines. C99 spec says the result is undefined, for throughput sake I let the profile to overflow and then clip unreasonable results. No exploit can be done here.

I'm annotating this function as "no sanitize", but this only works on clang right now.

boxerab commented 2 years ago

thanks, @mm2 . Since oss-fuzz uses clang sanitizer, adding CMS_NO_SANITIZE to this method will suppress my fuzzer issue.