Skip to content

fix(iff): detect corrupt chunk sizes, flags, channel configs#5268

Open
lgritz wants to merge 2 commits into
AcademySoftwareFoundation:mainfrom
lgritz:lg-iffchunk
Open

fix(iff): detect corrupt chunk sizes, flags, channel configs#5268
lgritz wants to merge 2 commits into
AcademySoftwareFoundation:mainfrom
lgritz:lg-iffchunk

Conversation

@lgritz

@lgritz lgritz commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Detect and reject corrupt chunk sizes, flags, and channel configurations in the header.

Assisted-by: Claude Code / Claude Opus 4.8

lgritz added 2 commits June 27, 2026 19:30
Detect and rejecct corrupt chunk sizes, flags, and channel
configurations in the header.

Assisted-by: Claude Code / Claude Opus 4.8

Signed-off-by: Larry Gritz <lg@larrygritz.com>
A crafted Maya IFF with the TBHD ZBUFFER flag set but RGBA clear took the
ZBUFFER-only branch, which set rgba_count=1/rgba_bits=32 while leaving
zbuffer=0. open() then exposed the image as 1-channel UINT16 (so callers
size their tile buffer from ImageSpec::tile_bytes(true)), but the internal
pixel_bytes() stayed 32-bit. read_native_tile() copied by the internal
pixel size, writing past the smaller caller buffer -- a heap out-of-bounds
write.

Such files can never be decoded anyway: readimg()'s tile loop only handles
8- and 16-bit RGBA pixels and explicitly errors on 32-bit. So reject
ZBUFFER-only headers at open() instead of fabricating an inconsistent spec.

Also:
- Generalize the channel-config check to require rgba_count in {3,4}, which
  additionally rejects headers with no color flags at all.
- Clear m_buf when readimg() fails. readimg() resizes m_buf before decoding,
  so a partial/failed decode left a non-empty buffer that a later tile
  request would reuse, skipping the (failed) decode and copying stale data.

Adds regression test src/zbuffer_only.iff.

Assisted-by: Claude Code / Claude Opus 4.8

Signed-off-by: Larry Gritz <lg@larrygritz.com>
@lgritz

lgritz commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

I have amended this PR to handle an additional related case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant