mirror/kimageformats
1
0
Fork 0
mirror of https://invent.kde.org/frameworks/kimageformats.git synced 2025-07-18 20:04:16 -04:00
Code Issues Packages Projects Releases Wiki Activity

hdr: fix crash (oss-fuzz)

Browse Source 
This patch Fixes crash when RLE data is corrupted (test cases attached).

Should also fixes (no test cases available):
- Issue 62044 in oss-fuzz: kimageformats:kimgio_hdr_fuzzer: Undefined-shift in RGBE_To_QRgbLine
- Issue 62057 in oss-fuzz: kimageformats:kimgio_hdr_fuzzer: Heap-buffer-overflow in Read_Old_Line


[crash-646a4364479f54278ff8c30c69b0c9665e5869af.hdr](/uploads/44760f0286cde4236feab8e352493556/crash-646a4364479f54278ff8c30c69b0c9665e5869af.hdr)

[crash-88c33e2b49e57e6d1d4ec6945476f605f00e714a.hdr](/uploads/e35bf53ee717134a796c4b17cfacca42/crash-88c33e2b49e57e6d1d4ec6945476f605f00e714a.hdr)
This commit is contained in:
Mirco Miranda
2023-09-07 16:22:33 +00:00
committed by Daniel Novomeský
parent 723f72930b
commit a981cefdd2
1 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/imageformats/hdr.cpp
View File

@ -40,6 +40,7 @@ static bool Read_Old_Line(uchar *image, int width, QDataStream &s)
int rshift = 0; int rshift = 0;
int i; int i;
uchar *start = image;
while (width > 0) { while (width > 0) {
s >> image[0]; s >> image[0];
s >> image[1]; s >> image[1];
@ -51,7 +52,11 @@ static bool Read_Old_Line(uchar *image, int width, QDataStream &s)
} }
if ((image[0] == 1) && (image[1] == 1) && (image[2] == 1)) { if ((image[0] == 1) && (image[1] == 1) && (image[2] == 1)) {
for (i = image[3] << rshift; i > 0; i--) { // NOTE: we don't have an image sample that cover this code
for (i = image[3] << rshift; i > 0 && width > 0; i--) {
if (image == start) {
return false; // you cannot be here at the first run
}
// memcpy(image, image-4, 4); // memcpy(image, image-4, 4);
(uint &)image[0] = (uint &)image[0 - 4]; (uint &)image[0] = (uint &)image[0 - 4];
image += 4; image += 4;
@ -72,7 +77,7 @@ static void RGBE_To_QRgbLine(uchar *image, QRgb *scanline, int width)
for (int j = 0; j < width; j++) { for (int j = 0; j < width; j++) {
// v = ldexp(1.0, int(image[3]) - 128); // v = ldexp(1.0, int(image[3]) - 128);
float v; float v;
int e = int(image[3]) - 128; int e = qBound(-31, int(image[3]) - 128, 31);
if (e > 0) { if (e > 0) {
v = float(1 << e); v = float(1 << e);
} else { } else {
@ -146,7 +151,7 @@ static bool LoadHDR(QDataStream &s, const int width, const int height, QImage &i
} }
// read each component // read each component
for (int i = 0; i < 4; i++) { for (int i = 0, len = int(lineArray.size()); i < 4; i++) {
for (int j = 0; j < width;) { for (int j = 0; j < width;) {
s >> code; s >> code;
if (s.atEnd()) { if (s.atEnd()) {
@ -158,14 +163,20 @@ static bool LoadHDR(QDataStream &s, const int width, const int height, QImage &i
code &= 127; code &= 127;
s >> val; s >> val;
while (code != 0) { while (code != 0) {
image[i + j * 4] = val; auto idx = i + j * 4;
if (idx < len) {
image[idx] = val;
}
j++; j++;
code--; code--;
} }
} else { } else {
// non-run // non-run
while (code != 0) { while (code != 0) {
s >> image[i + j * 4]; auto idx = i + j * 4;
if (idx < len) {
s >> image[idx];
}
j++; j++;
code--; code--;
} }