Skip to content

fix(psd): validate color_mode before RawColor early return#5282

Open
lgritz wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-psdcolormode
Open

fix(psd): validate color_mode before RawColor early return#5282
lgritz wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-psdcolormode

Conversation

@lgritz

@lgritz lgritz commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

validate_header() let the oiio:RawColor/psd:RawData path return true before the switch that rejects unknown m_header.color_mode values, so an out-of-range or "hole" (undocumented) color mode reached setup(), which unconditionally indexes the fixed 10-entry mode_channel_count / mode_channel_names tables with the attacker-controlled value -- a global out-of-bounds read (and, per external report, a path to unbounded/bogus allocation) reachable via the public RawColor config attribute on a crafted PSD.

Move the "is this a color mode we know about at all" check ahead of the RawColor early return so it always runs, and keep the existing Duotone/Lab-unsupported-without-raw check as a second pass after the early return, preserving current behavior for every valid mode.

Assisted-by: Claude Code / claude-sonnet-5

validate_header() let the oiio:RawColor/psd:RawData path return true
before the switch that rejects unknown m_header.color_mode values, so
an out-of-range or "hole" (undocumented) color mode reached setup(),
which unconditionally indexes the fixed 10-entry mode_channel_count /
mode_channel_names tables with the attacker-controlled value -- a
global out-of-bounds read (and, per external report, a path to
unbounded/bogus allocation) reachable via the public RawColor config
attribute on a crafted PSD.

Move the "is this a color mode we know about at all" check ahead of
the RawColor early return so it always runs, and keep the existing
Duotone/Lab-unsupported-without-raw check as a second pass after the
early return, preserving current behavior for every valid mode.

Assisted-by: Claude Code / claude-sonnet-5

Signed-off-by: Larry Gritz <lg@larrygritz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant