mirror/opencv
1
0
Fork 0
mirror of https://github.com/opencv/opencv.git synced 2025-07-24 14:06:27 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #27138 from vrabaud:lzw

Browse Source 
Fix heap buffer overflow and use after free in imgcodecs #27138

This fixes:
- https://g-issues.oss-fuzz.com/issues/405243132
- https://g-issues.oss-fuzz.com/issues/405456349

### Pull Request Readiness Checklist

See details at https://github.com/opencv/opencv/wiki/How_to_contribute#making-a-good-pull-request

- [x] I agree to contribute to the project under Apache 2 License.
- [x] To the best of my knowledge, the proposed patch is not based on a code under GPL or another license that is incompatible with OpenCV
- [x] The PR is proposed to the proper branch
- [x] There is a reference to the original bug report and related work
- [ ] There is accuracy test, performance test and test data in opencv_extra repository, if applicable
      Patch to opencv_extra has the same branch name.
- [ ] The feature is well documented and sample code can be built with the project CMake
This commit is contained in:
Vincent Rabaud 2025-03-26 15:14:50 +01:00 committed by GitHub
parent 8e2826ddd6
commit 42a132088c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 35 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/imgcodecs/src/grfmt_gif.cpp
View File

@ -392,6 +392,8 @@ bool GifDecoder::lzwDecode() {
if (code < colorTableSize) {
imgCodeStream[idx++] = (uchar)code;
} else {
CV_LOG_WARNING(NULL, "Too long LZW length in GIF.");
CV_Assert(idx + lzwExtraTable[code].length <= width * height);
for (int i = 0; i < lzwExtraTable[code].length - 1; i++) {
imgCodeStream[idx++] = lzwExtraTable[code].prefix[i];
}

51
modules/imgcodecs/src/grfmt_png.cpp
View File

@ -401,7 +401,7 @@ bool PngDecoder::readData( Mat& img )
Mat mat_cur = Mat::zeros(img.rows, img.cols, m_type);
uint32_t id = 0;
uint32_t j = 0;
uint32_t imagesize = m_width * m_height * mat_cur.channels();
uint32_t imagesize = m_width * m_height * (uint32_t)mat_cur.elemSize();
m_is_IDAT_loaded = false;
if (m_frame_no == 0)
@ -451,15 +451,26 @@ bool PngDecoder::readData( Mat& img )
delay_den = 100;
m_animation.durations.push_back(cvRound(1000.*delay_num/delay_den));
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U)
mat_cur.convertTo(mat_cur, CV_8U, 1. / 255);
if (mat_cur.channels() == img.channels())
mat_cur.copyTo(img);
else if (img.channels() == 1)
cvtColor(mat_cur, img, COLOR_BGRA2GRAY);
else if (img.channels() == 3)
cvtColor(mat_cur, img, COLOR_BGRA2BGR);
{
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U)
mat_cur.convertTo(img, CV_8U, 1. / 255);
else
mat_cur.copyTo(img);
}
else
{
Mat mat_cur_scaled;
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U)
mat_cur.convertTo(mat_cur_scaled, CV_8U, 1. / 255);
else
mat_cur_scaled = mat_cur;
if (img.channels() == 1)
cvtColor(mat_cur_scaled, img, COLOR_BGRA2GRAY);
else if (img.channels() == 3)
cvtColor(mat_cur_scaled, img, COLOR_BGRA2BGR);
}
if (dop != 2)
{
@ -517,15 +528,19 @@ bool PngDecoder::readData( Mat& img )
delay_den = 100;
m_animation.durations.push_back(cvRound(1000.*delay_num/delay_den));
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U)
mat_cur.convertTo(mat_cur, CV_8U, 1. / 255);
if (mat_cur.channels() == img.channels())
mat_cur.copyTo(img);
else if (img.channels() == 1)
cvtColor(mat_cur, img, COLOR_BGRA2GRAY);
else if (img.channels() == 3)
cvtColor(mat_cur, img, COLOR_BGRA2BGR);
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U && mat_cur.channels() == img.channels())
mat_cur.convertTo(img, CV_8U, 1. / 255);
else
{
if (mat_cur.depth() == CV_16U && img.depth() == CV_8U)
mat_cur.convertTo(mat_cur, CV_8U, 1. / 255);
if (mat_cur.channels() == img.channels())
mat_cur.copyTo(img);
else if (img.channels() == 1)
cvtColor(mat_cur, img, COLOR_BGRA2GRAY);
else if (img.channels() == 3)
cvtColor(mat_cur, img, COLOR_BGRA2BGR);
}
}
else
return false;