search

strukturag / libheif

libheif is an HEIF and AVIF file format decoder and encoder.
Other
1.71k stars 298 forks source link

Integer overflow in uncompressed_box.cc #1206

Closed farindk closed 2 months ago

farindk commented 3 months ago

@bradh I got a fuzzer hitting an integer overflow:

libheif/codecs/uncompressed_box.cc:263:38: runtime error: unsigned integer overflow: 4294967295 + 1 cannot be represented in type 'unsigned int'

https://github.com/strukturag/libheif/blob/9d4a5107c469c76fec7146b896819bc215a66fbe/libheif/codecs/uncompressed_box.cc#L263-265

Probably, it is enough to output an error when the number of tiles exceeds a sensible maximum.

bradh commented 3 months ago

This is why we should have stuck to the _minus_1 :-) Of course then the overflow could just happen later.

I'll take care of this one.

farindk commented 3 months ago

I really would like to have C++ integer types that have a limited range (e.g. `int<-1,1024>'). Then we would not constantly have issues of signed vs unsigned or +1 overflows like this.

bradh commented 3 months ago

I really would like to have C++ integer types that have a limited range (e.g. `int<-1,1024>'). Then we would not constantly have issues of signed vs unsigned or +1 overflows like this.

In writing the unit test I found I had an off-by-one error in my comparison...