Harden gain-map pixel count arithmetic and dimension validation#3220
Closed
metsw24-max wants to merge 1 commit into
Closed
Harden gain-map pixel count arithmetic and dimension validation#3220metsw24-max wants to merge 1 commit into
metsw24-max wants to merge 1 commit into
Conversation
wantehchang
reviewed
May 22, 2026
| // marker is the offset of the size field in stream, returned by a previous | ||
| // avifRWStreamWriteBox() or avifRWStreamWriteFullBox() call. | ||
| AVIF_NODISCARD avifResult avifRWStreamFinishBox(avifRWStream * stream, avifBoxMarker marker); | ||
| void avifRWStreamFinishBox(avifRWStream * stream, avifBoxMarker marker); |
| size_t numPixels; | ||
| if (!avifDimensionsToPixelCount(width, height, &numPixels)) { | ||
| return AVIF_RESULT_INVALID_ARGUMENT; | ||
| } |
Member
There was a problem hiding this comment.
cc: @maryla-uc
metsw24-max: Thank you for your interest in reviewing libavif source code. The code in this file modified by this PR was reviewed at least twice recently. The reason we can multiply width and height (after casting to size_t) with no risk of integer overflow is that a buffer of dimensions width x height has been allocated successfully. Therefore we know width x height must fit in size_t. I am going to decline this PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens gain-map dimension handling by introducing centralized checked pixel-count arithmetic and replacing unchecked
width * heightcalculations in gain-map processing paths.Changes
avifDimensionsToPixelCount()helper for overflow-safe pixel-count computationavifDimensionsTooLarge()with explicit zero-dimension validationavifRWStreamFinishBox()Testing
Added regression tests covering:
avifDimensionsTooLarge()Validated against existing build/tests and normal gain-map decoding paths.