Skip to content

Add overflow protection to LZW buffer allocation#107

Open
uwezkhan wants to merge 3 commits into
dloebl:mainfrom
uwezkhan:fix/lzw-allocation-overflow-guard
Open

Add overflow protection to LZW buffer allocation#107
uwezkhan wants to merge 3 commits into
dloebl:mainfrom
uwezkhan:fix/lzw-allocation-overflow-guard

Conversation

@uwezkhan

@uwezkhan uwezkhan commented Mar 1, 2026

Copy link
Copy Markdown
Contributor

This patch adds explicit overflow guards to the LZW
buffer allocation in cgif_raw.c.

The allocation size is derived from:

numPixel + 2 + maxResets

Without guarding against additive and multiplicative
overflow, extreme dimension values could cause the
computed allocation size to wrap, leading to an
undersized heap allocation and potential out-of-bounds
writes during LZW encoding.

The patch introduces:

  • Additive overflow check using SIZE_MAX
  • Multiplicative overflow check before sizeof(uint16_t)
  • Preserves existing cleanup logic
  • Uses existing CGIF_EALLOC error handling

No public API changes.
No behavioral changes for valid inputs.
Negligible runtime impact.

Security impact:
Prevents potential heap buffer overflow in the LZW
encoding path due to allocation size wraparound.

@dloebl

dloebl commented Mar 15, 2026

Copy link
Copy Markdown
Owner

Hey @uwezkhan,
please read the contributing guidelines before opening any new pull requests or issues.

Missing test case (required): Bug fix PRs must include a test in tests/ that reproduces the issue on main (fails before the fix, passes after). No test was provided and no changes to tests/meson.build were made. See CONTRIBUTING.md:, section "Submitting Pull Requests", item 3.

AI tooling attribution: If any AI models or tooling were used to produce this PR, please disclose that per our contributing guidelines (CONTRIBUTING.md:, item 5).

@uwezkhan
uwezkhan force-pushed the fix/lzw-allocation-overflow-guard branch from 4ff2400 to 07bf827 Compare April 12, 2026 20:14
uwezkhan and others added 2 commits May 2, 2026 21:10
Wire the LZW allocation overflow regression test into tests/meson.build so
it actually runs, and detect the buffer by size rather than by malloc call
index so the struct-of-arrays split in LZW_GenerateStream no longer moves the
target allocation. Fails on a 32-bit build without the guard, passes with it.

Signed-off-by: Uwez Khan <uwezkhan053@gmail.com>
@uwezkhan

uwezkhan commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Test's in now and wired into tests/meson.build so it actually runs. It calls LZW_GenerateStream directly with numPixel near UINT32_MAX and intercepts malloc: without the guard, on a 32-bit build the size wraps to ~161 KB (fails), and with the size_t guard it returns CGIF_EALLOC before allocating (passes). A 64-bit build doesn't wrap either way, so it's a no-op there.

On the tooling question: I use an LLM a bit for sanity-checking and looking things up, but the reasoning and code here are mine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants