Add overflow protection to LZW buffer allocation#107
Conversation
|
Hey @uwezkhan, Missing test case (required): Bug fix PRs must include a test in AI tooling attribution: If any AI models or tooling were used to produce this PR, please disclose that per our contributing guidelines (CONTRIBUTING.md:, item 5). |
4ff2400 to
07bf827
Compare
Wire the LZW allocation overflow regression test into tests/meson.build so it actually runs, and detect the buffer by size rather than by malloc call index so the struct-of-arrays split in LZW_GenerateStream no longer moves the target allocation. Fails on a 32-bit build without the guard, passes with it. Signed-off-by: Uwez Khan <uwezkhan053@gmail.com>
|
Test's in now and wired into tests/meson.build so it actually runs. It calls LZW_GenerateStream directly with numPixel near UINT32_MAX and intercepts malloc: without the guard, on a 32-bit build the size wraps to ~161 KB (fails), and with the size_t guard it returns CGIF_EALLOC before allocating (passes). A 64-bit build doesn't wrap either way, so it's a no-op there. On the tooling question: I use an LLM a bit for sanity-checking and looking things up, but the reasoning and code here are mine. |
This patch adds explicit overflow guards to the LZW
buffer allocation in cgif_raw.c.
The allocation size is derived from:
Without guarding against additive and multiplicative
overflow, extreme dimension values could cause the
computed allocation size to wrap, leading to an
undersized heap allocation and potential out-of-bounds
writes during LZW encoding.
The patch introduces:
No public API changes.
No behavioral changes for valid inputs.
Negligible runtime impact.
Security impact:
Prevents potential heap buffer overflow in the LZW
encoding path due to allocation size wraparound.