From 3460814b9862795015e2295272157a72555ff4fd Mon Sep 17 00:00:00 2001 From: Kleis Auke Wolthuizen Date: Sun, 19 Jul 2020 13:48:21 +0200 Subject: [PATCH 1/2] Add test case for undefined shift in rad2vips --- .../thumbnail_fuzzer-5111890150424576 | Bin 0 -> 33 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 fuzz/common_fuzzer_corpus/thumbnail_fuzzer-5111890150424576 diff --git a/fuzz/common_fuzzer_corpus/thumbnail_fuzzer-5111890150424576 b/fuzz/common_fuzzer_corpus/thumbnail_fuzzer-5111890150424576 new file mode 100644 index 0000000000000000000000000000000000000000..61df2231e1e96c9ea4c91211d847f379c62e9f2c GIT binary patch literal 33 ecmY$k4{~(zbo6s}<>HDkj5Ot9WMpJO!v6tc!UWm? literal 0 HcmV?d00001 From aac17486152b90de3f5d22cca1b30de1be6333fb Mon Sep 17 00:00:00 2001 From: Kleis Auke Wolthuizen Date: Sun, 19 Jul 2020 14:37:38 +0200 Subject: [PATCH 2/2] Explicitly cast to unsigned int before left-shifting To avoid potential signed integer overflow (undefined behavior), as implicit integer promotion means the operand becomes a (signed) int. --- libvips/foreign/radiance.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libvips/foreign/radiance.c b/libvips/foreign/radiance.c index c9889b14..431f4c5a 100644 --- a/libvips/foreign/radiance.c +++ b/libvips/foreign/radiance.c @@ -544,9 +544,9 @@ scanline_read_old( VipsSbuf *sbuf, COLR *scanline, int width ) if( scanline[0][RED] == 1 && scanline[0][GRN] == 1 && scanline[0][BLU] == 1 ) { - int i; + guint i; - for( i = scanline[0][EXP] << rshift; + for( i = ((guint32) scanline[0][EXP] << rshift); i > 0 && width > 0; i-- ) { copycolr( scanline[0], scanline[-1] ); scanline += 1;