Fix multiple memory safety issues in stb_image and stb_vorbis#1927
Open
boergeson wants to merge 2 commits into
Open
Fix multiple memory safety issues in stb_image and stb_vorbis#1927boergeson wants to merge 2 commits into
boergeson wants to merge 2 commits into
Conversation
stb_image.h: - Add overflow checks to stbi__convert_16_to_8 and stbi__convert_8_to_16 - Use stbi__malloc_mad4 in stbi__convert_format16 (8-bit sibling already used stbi__malloc_mad3) - Fix two_back pointer in animated GIF loader (was out - 2*stride, should be out + (layers-2)*stride) - Validate palette index against palette length in stbi__expand_png_palette - Fix stbi__process_marker failure returning success instead of failure stb_vorbis.c: - Fix sign error in bounds clamp in codebook_decode_deinterleave_repeat
|
The stb_vorbis.c change is a duplicate of #1490. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes for several integer overflow, out-of-bounds, and logic bugs found during a security review.
stb_image.h:
stbi__convert_16_to_8andstbi__convert_8_to_16(lines 1193, 1209)stbi__malloc_mad4instbi__convert_format16-- the 8-bit sibling was already usingstbi__malloc_mad3but the 16-bit version was missed (line 1820)two_backpointer in animated GIF loader:out - 2*stridepoints before the buffer, should beout + (layers-2)*stride(line 7023). Crashes under ASAN.stbi__expand_png_palette-- the palette length was being ignored viaSTBI_NOTUSED(len), allowing out-of-bounds reads from uninitialized stack memory (line 4988)stbi__process_markerfailure returning 1 (success) instead of 0 (line 3448)stb_vorbis.c:
codebook_decode_deinterleave_repeat:- c_intershould be+ c_inter(line 1891)PoCs and a full writeup are in the
poc/directory on this branch. See the companion issue for the complete list of findings.