fix(targa): reject implausible image dimensions before allocating#5290
Closed
lgritz wants to merge 1 commit into
Closed
fix(targa): reject implausible image dimensions before allocating#5290lgritz wants to merge 1 commit into
lgritz wants to merge 1 commit into
Conversation
An 18-byte TGA file consisting of just a header (no pixel data) can claim an arbitrary width/height/bpp -- e.g. a 1472x12000 24bpp image -- and readimg() would allocate the full ~53MB buffer and only discover the truncation once the first read hits EOF. Worse, the resulting partially-formed ImageSpec could still propagate to a downstream writer before the read failure was acted on. Cross-check the header's width/height/bpp against how many bytes of pixel data the file could plausibly contain before committing to the allocation, mirroring the existing pattern in iff.imageio and jpeg2000.imageio. The check compares against the *on-disk* pixel size (palette/16-bit storage is smaller per pixel than the decoded, unpacked ImageSpec) and allows up to 128x expansion for RLE-compressed images (a 1-byte run-length count can encode up to 128 output pixels). Updated testsuite/targa/ref/out.txt: several existing corrupt-file regression cases (crash1.tga, crash6.tga, crash3952.tga) are now caught earlier with clearer messages, and two real oiio-images TGA files (UCM8.TGA, UTC16.TGA) that use palette/16-bit storage smaller than their decoded size continue to read correctly. Assisted-by: Claude Code / Sonnet 5 Signed-off-by: Larry Gritz <lg@larrygritz.com>
Collaborator
Author
|
Closing — opened without authorization by an AI agent. Human will resubmit if the fix is wanted. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
readimg()would allocate the full ~53MB buffer and only discover the truncation once the first read hit EOF.iff.imageioandjpeg2000.imageio. Compares against the on-disk pixel size (palette/16-bit storage is smaller per pixel than the decoded, unpackedImageSpec) and allows up to 128x expansion for RLE (a 1-byte run-length count can encode up to 128 output pixels).Test plan
testsuite/targa/ref/out.txtupdated: several existing corrupt-file regression cases (crash1.tga,crash6.tga,crash3952.tga) are now caught earlier with clearer messages.oiio-imagesTGA files (UCM8.TGA,UTC16.TGA) that use palette/16-bit storage smaller than their decoded size still read correctly (this was a regression I had to fix in the check itself before landing it).ctest -R ^targa$passes.🤖 Generated with Claude Code