RLA: fix potential buffer overrun (AcademySoftwareFoundation#3624)

lgritz · Oct 24, 2022 · b9e96ec · b9e96ec
1 parent 2ef6c48
commit b9e96ec
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 1 deletion.
diff --git a/src/rla.imageio/rlainput.cpp b/src/rla.imageio/rlainput.cpp
@@ -489,7 +489,8 @@ RLAInput::decode_rle_span(unsigned char* buf, int n, int stride,
         signed char count = (signed char)encoded[e++];
         if (count >= 0) {
             // run count positive: value repeated count+1 times
-            for (int i = 0; i <= count && n; ++i, buf += stride, --n)
+            for (int i = 0; i <= count && n && e < elen;
+                 ++i, buf += stride, --n)
                 *buf = encoded[e];
             ++e;
         } else {

diff --git a/testsuite/rla/ref/out.err.txt b/testsuite/rla/ref/out.err.txt
@@ -4,3 +4,6 @@ Full command line was:
 oiiotool ERROR: read : "../oiio-images/rla/crash2.rla": Read error: not enough data in scanline 73, channel 0
 Full command line was:
 > oiiotool -colorconfig ../common/OpenColorIO/nuke-default/config.ocio ../oiio-images/rla/crash2.rla -o crash2.exr
+oiiotool ERROR: read : "src/crash-1629.rla": Read error: malformed RLE record
+Full command line was:
+> oiiotool -colorconfig ../common/OpenColorIO/nuke-default/config.ocio src/crash-1629.rla -o crash3.exr
diff --git a/testsuite/rla/run.py b/testsuite/rla/run.py
@@ -16,5 +16,6 @@
 # Test corrupted files
 command += oiiotool(OIIO_TESTSUITE_IMAGEDIR + "/rla/crash1.rla -o crash1.exr", failureok = True)
 command += oiiotool(OIIO_TESTSUITE_IMAGEDIR + "/rla/crash2.rla -o crash2.exr", failureok = True)
+command += oiiotool("src/crash-1629.rla -o crash3.exr", failureok = True)
 
 outputs = [ "rlacrop.rla", 'out.txt', 'out.err.txt' ]
diff --git a/testsuite/rla/src/crash-1629.rla b/testsuite/rla/src/crash-1629.rla