You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
read: prevent integer overflow in image grid validation
Add explicit overflow checks before multiplying tile dimensions by
grid rows/columns to avoid wraparound that could bypass validation and
lead to malformed image handling.
Reject unsafe grids early with AVIF_RESULT_INVALID_IMAGE_GRID.
"Grid image dimensions would cause integer overflow");
1746
+
returnAVIF_RESULT_INVALID_IMAGE_GRID;
1747
+
}
1748
+
1740
1749
if (((tile->image->width*grid->columns) <grid->outputWidth) || ((tile->image->height*grid->rows) <grid->outputHeight)) {
1741
1750
avifDiagnosticsPrintf(data->diag,
1742
1751
"Grid image tiles do not completely cover the image (HEIF (ISO/IEC 23008-12:2017), Section 6.6.2.3.1)");
1743
1752
returnAVIF_RESULT_INVALID_IMAGE_GRID;
1744
1753
}
1745
1754
// Tiles in the rightmost column and bottommost row must overlap the reconstructed image grid canvas. See MIAF (ISO/IEC 23000-22:2019), Section 7.3.11.4.2, Figure 2.
1755
+
// Check for overflow in (columns - 1) and (rows - 1) multiplications
1756
+
if ((tile->image->width>0&&grid->columns>1&& (grid->columns-1) >UINT32_MAX / tile->image->width) ||
0 commit comments