Fix T94629: The IMB_flip API would fail with large images
ClosedPublic
Actions

Authored by Jesse Yurkovich (deadpin) on Jan 6 2022, 6:57 AM.

Details

Reviewers

Sergey Sharybin (sergey)

Maniphest Tasks

T94629: Out-of-bounds memory access in IMB_flipy() due to large image dimensions

Commits

rB63fdcbb5889e: Fix T94629: The IMB_flip API would fail with large images
rBe07f16776bca: Fix T94629: The IMB_flip API would fail with large images
rB82858ca3f4e6: Fix T94629: The IMB_flip API would fail with large images

Summary

Fix IMB_flip[xy] to handle cases where integer overflow might occur when
given sufficiently large image dimensions.

All of these fixes were of a similar class where the intermediate
sub-expression would overflow silently. Widen the types as necessary.

Notes:
The ultimate size of images are guarded within the imb_alloc_pixels
api. With that check, these calculations wont overflow 64bits.

Those with static analysis / MSVC will see messages like the following in rotate.c:

C26451	Arithmetic overflow: Using operator '*' on a 4 byte value and then casting the result to a 8 byte value. Cast the value to the wider type before calling operator '*' to avoid overflow (io.2)

lnt-arithmetic-overflow	A sub-expression may overflow before being assigned to a wider type.

Those with UB sanitizer will see messages at runtime similar to:

runtime error: signed integer overflow: 914929610 * 4 cannot be represented in type 'int'
runtime error: pointer index expression with base 0x000000918ec0 overflowed to 0xffffffff691d0b60