From df16efb83b4675744c7cd7e0655563e20afab0ae Mon Sep 17 00:00:00 2001 From: Lilith River Date: Tue, 7 Apr 2026 23:46:31 -0600 Subject: [PATCH] fix: prevent integer overflow in alloc_image dimension check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The width*height multiplication in alloc_image_plain! was unchecked. On 64-bit, crafted dimensions like 0xFFFFFFFFĂ—2 wrap past the 500M limit check. Use checked_mul to detect overflow before comparison. --- src/decoders/mod.rs | 5 +++-- src/lib.rs | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/decoders/mod.rs b/src/decoders/mod.rs index cf751956..2a1df030 100644 --- a/src/decoders/mod.rs +++ b/src/decoders/mod.rs @@ -24,8 +24,9 @@ macro_rules! fetch_ifd { macro_rules! alloc_image_plain { ($width:expr, $height:expr, $dummy: expr) => ( { - if $width * $height > 500000000 || $width > 50000 || $height > 50000 { - panic!("rawloader: surely there's no such thing as a >500MP or >50000 px wide/tall image!"); + let pixels = ($width as u64).checked_mul($height as u64).unwrap_or(u64::MAX); + if pixels > 500000000 || $width > 50000 || $height > 50000 { + panic!("rawloader: image dimensions exceed limits ({}x{})", $width, $height); } if $dummy { vec![0] diff --git a/src/lib.rs b/src/lib.rs index 97603274..d83eca22 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -56,7 +56,7 @@ pub use decoders::cfa::CFA; #[doc(hidden)] pub use decoders::RawLoader; lazy_static! { - static ref LOADER: RawLoader = decoders::RawLoader::new(); + static ref LOADER: RawLoader = RawLoader::new(); } use std::path::Path;