[wxWidgets/wxWidgets] d1d660: Reject BMP RLE absolute runs that overrun the curr...
0 views
Skip to first unread message
VZ
May 22, 2026, 11:13:12 AMMay 22
to wx-co...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/wxWidgets/wxWidgets
Commit: d1d6605e93961e3afe5778c14f951956db55fe1e
https://github.com/wxWidgets/wxWidgets/commit/d1d6605e93961e3afe5778c14f951956db55fe1e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject BMP RLE absolute runs that overrun the current scanline
In src/common/imagbmp.cpp::LoadBMPData() the absolute-mode branches of
both the BI_RLE4 (around line 763) and BI_RLE8 (around line 870) decode
loops increment 'column' for each pixel without checking it against
'width'. The image buffer is sized width * height * 3 and 'poffset' is
computed as line * width * 3 + column * 3, so an absolute escape with
a count larger than (width - column) keeps writing through the rest of
the row and into adjacent rows or past the end of the buffer entirely
on the last decoded scanline.
The neighbouring encoded-mode branches at lines 798 and 896 already use
"&& column < width" to clamp runs to the row width, and the delta-mode
branch at lines 758 and 863 rejects out-of-range row offsets, so the
absolute branches are the only RLE paths left without bounds checking.
Reject the file with return false when the absolute run would extend
past the right edge of the current row, matching the existing
"return false on malformed input" pattern in the same function.
Add a regression test that loads a 4x4 8bpp RLE BMP with an absolute
escape claiming 100 pixels on the first row and expects the loader to
fail rather than write past the image buffer.
Closes #26496.
Commit: d22a91e95268d2748fcf6656d70158f2c43ae234
https://github.com/wxWidgets/wxWidgets/commit/d22a91e95268d2748fcf6656d70158f2c43ae234
Author: jmestwa-coder <jme...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate IFF BMHD fields to prevent pixel-buffer overflow
wxIFFDecoder::ReadIFF() in src/common/imagiff.cpp parses the BMHD
chunk without bounding the width, height or bitplane count. The
subsequent pixel buffer is allocated with
m_image->p = new byte[bmhd_width * bmhd_height * 3];
using signed-int multiplication. With bmhd_width = 21849 and
bmhd_height = 65535 (both legal 16-bit BMHD values) the product
4,295,622,645 overflows int and wraps down to 655,349, so only
~640 KiB is actually allocated. The BODY decode loop then writes
3 * bmhd_width bytes per row, so a BODY chunk supplying just 10
lineskips of zeros (lineskip = 2732 for this width, total 27,320
bytes) is enough to overrun the allocation. A bmhd_bitplanes or
bmhd_width of zero also makes lineskip * bmhd_bitplanes zero and
causes a divide-by-zero in the height computation a few lines
later.
Reject malformed BMHD chunks at parse time: require positive
width, height and bitplane count, cap the bitplane count at 32
(the largest format the decoder handles is 24-bit ILBM), and cap
bmhd_width * bmhd_height so that the product multiplied by 3
stays within INT_MAX. This makes the existing int-typed buffer
size computation safe and keeps the patch local to the BMHD
parsing branch.
A unit test in tests/image/image.cpp builds the malformed IFF
described above in memory, registers the IFF handler and asserts
that LoadFile() rejects it; without the fix the test triggers a
heap-buffer-overflow during BODY decoding.
Closes #26497.
Commit: 2d8898b02c06dc47209407ca6535f5228c9b53d6
https://github.com/wxWidgets/wxWidgets/commit/2d8898b02c06dc47209407ca6535f5228c9b53d6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M include/wx/propgrid/advprops.h
M include/wx/propgrid/props.h
Log Message:
-----------
Use wxDEPRECATED_BUT_USED_INTERNALLY_MSG() in wxPG headers
It shouldn't be necessary to use this macro instead of the previously
used wxDEPRECATED_MSG() here because none of the functions is actually
used by wxWidgets, but MSVS 2026 somehow thinks they are and gives
warnings about it, so avoid the warning to fix the GitHub Actions CI job
using this compiler.
Compare: https://github.com/wxWidgets/wxWidgets/compare/8e005d1c31b5...2d8898b02c06
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: d1d6605e93961e3afe5778c14f951956db55fe1e
https://github.com/wxWidgets/wxWidgets/commit/d1d6605e93961e3afe5778c14f951956db55fe1e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject BMP RLE absolute runs that overrun the current scanline
In src/common/imagbmp.cpp::LoadBMPData() the absolute-mode branches of
both the BI_RLE4 (around line 763) and BI_RLE8 (around line 870) decode
loops increment 'column' for each pixel without checking it against
'width'. The image buffer is sized width * height * 3 and 'poffset' is
computed as line * width * 3 + column * 3, so an absolute escape with
a count larger than (width - column) keeps writing through the rest of
the row and into adjacent rows or past the end of the buffer entirely
on the last decoded scanline.
The neighbouring encoded-mode branches at lines 798 and 896 already use
"&& column < width" to clamp runs to the row width, and the delta-mode
branch at lines 758 and 863 rejects out-of-range row offsets, so the
absolute branches are the only RLE paths left without bounds checking.
Reject the file with return false when the absolute run would extend
past the right edge of the current row, matching the existing
"return false on malformed input" pattern in the same function.
Add a regression test that loads a 4x4 8bpp RLE BMP with an absolute
escape claiming 100 pixels on the first row and expects the loader to
fail rather than write past the image buffer.
Closes #26496.
Commit: d22a91e95268d2748fcf6656d70158f2c43ae234
https://github.com/wxWidgets/wxWidgets/commit/d22a91e95268d2748fcf6656d70158f2c43ae234
Author: jmestwa-coder <jme...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate IFF BMHD fields to prevent pixel-buffer overflow
wxIFFDecoder::ReadIFF() in src/common/imagiff.cpp parses the BMHD
chunk without bounding the width, height or bitplane count. The
subsequent pixel buffer is allocated with
m_image->p = new byte[bmhd_width * bmhd_height * 3];
using signed-int multiplication. With bmhd_width = 21849 and
bmhd_height = 65535 (both legal 16-bit BMHD values) the product
4,295,622,645 overflows int and wraps down to 655,349, so only
~640 KiB is actually allocated. The BODY decode loop then writes
3 * bmhd_width bytes per row, so a BODY chunk supplying just 10
lineskips of zeros (lineskip = 2732 for this width, total 27,320
bytes) is enough to overrun the allocation. A bmhd_bitplanes or
bmhd_width of zero also makes lineskip * bmhd_bitplanes zero and
causes a divide-by-zero in the height computation a few lines
later.
Reject malformed BMHD chunks at parse time: require positive
width, height and bitplane count, cap the bitplane count at 32
(the largest format the decoder handles is 24-bit ILBM), and cap
bmhd_width * bmhd_height so that the product multiplied by 3
stays within INT_MAX. This makes the existing int-typed buffer
size computation safe and keeps the patch local to the BMHD
parsing branch.
A unit test in tests/image/image.cpp builds the malformed IFF
described above in memory, registers the IFF handler and asserts
that LoadFile() rejects it; without the fix the test triggers a
heap-buffer-overflow during BODY decoding.
Closes #26497.
Commit: 2d8898b02c06dc47209407ca6535f5228c9b53d6
https://github.com/wxWidgets/wxWidgets/commit/2d8898b02c06dc47209407ca6535f5228c9b53d6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M include/wx/propgrid/advprops.h
M include/wx/propgrid/props.h
Log Message:
-----------
Use wxDEPRECATED_BUT_USED_INTERNALLY_MSG() in wxPG headers
It shouldn't be necessary to use this macro instead of the previously
used wxDEPRECATED_MSG() here because none of the functions is actually
used by wxWidgets, but MSVS 2026 somehow thinks they are and gives
warnings about it, so avoid the warning to fix the GitHub Actions CI job
using this compiler.
Compare: https://github.com/wxWidgets/wxWidgets/compare/8e005d1c31b5...2d8898b02c06
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages