From 8af17b1c2da3efa2138e1ffecf291d7f3d2e1041 Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Wed, 20 May 2026 14:53:00 +0530 Subject: [PATCH] fix integer overflow in byteList size calc in LZW_GenerateStream MAX_CODE_LEN is an int literal (12) and lzwPos is uint32_t, so the intermediate product MAX_CODE_LEN * lzwPos was evaluated in 32-bit unsigned arithmetic before being divided into a uint64_t. For lzwPos above UINT32_MAX/12 (~358M) the multiplication wraps modulo 2^32, so MaxByteListLen / MaxByteListBlockLen end up much smaller than the actual number of bytes create_byte_list / create_byte_list_block can write into the buffer (heap overflow on the byteList malloc). For a max-size frame (65535 * 65535 pixels) the buggy value is about 536 MB whereas create_byte_list can write up to ~6.4 GB. Cast MAX_CODE_LEN to uint64_t so the entire expression is evaluated in 64-bit, matching the existing fix from #103 for pLZWData. --- src/cgif_raw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cgif_raw.c b/src/cgif_raw.c index 56f9533..832a9d9 100644 --- a/src/cgif_raw.c +++ b/src/cgif_raw.c @@ -349,8 +349,8 @@ static int LZW_GenerateStream(LZWResult* pResult, const uint32_t numPixel, const // pack the generated LZW data into blocks of 255 bytes uint8_t *byteList; // lzw-data packed in byte-list uint8_t *byteListBlock; // lzw-data packed in byte-list with 255-block structure - uint64_t MaxByteListLen = MAX_CODE_LEN * lzwPos / 8ull + 2ull + 1ull; // conservative upper bound - uint64_t MaxByteListBlockLen = MAX_CODE_LEN * lzwPos * (BLOCK_SIZE + 1ull) / 8ull / BLOCK_SIZE + 2ull + 1ull +1ull; // conservative upper bound + uint64_t MaxByteListLen = (uint64_t)MAX_CODE_LEN * lzwPos / 8ull + 2ull + 1ull; // conservative upper bound + uint64_t MaxByteListBlockLen = (uint64_t)MAX_CODE_LEN * lzwPos * (BLOCK_SIZE + 1ull) / 8ull / BLOCK_SIZE + 2ull + 1ull +1ull; // conservative upper bound byteList = malloc(MaxByteListLen); byteListBlock = malloc(MaxByteListBlockLen); if(byteList == NULL || byteListBlock == NULL) {