Skip to content

fix: prevent integer overflow and OOB write in PSDDecoder #9881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
YLChen-007 wants to merge 2 commits into from
+22 −1
Closed

fix: prevent integer overflow and OOB write in PSDDecoder #9881

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
017ac47
fix: prevent integer overflow and OOB write in PSDDecoder
YLChen-007 Apr 8, 2026
f35db91
fix(imageio): correct PSD decoder dimension limit to 30,000
YLChen-007 Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion libs/image/src/LinearImage.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,22 @@

#include <image/LinearImage.h>

#include <utils/Panic.h>

#include <cstring> // for memset
#include <memory>

#include <new>
#include <limits>

namespace image {

struct LinearImage::SharedReference {
SharedReference(uint32_t width, uint32_t height, uint32_t channels) {
const uint32_t nfloats = width * height * channels;
const uint64_t nfloats64 = (uint64_t)width * (uint64_t)height * (uint64_t)channels;
FILAMENT_CHECK_PRECONDITION(nfloats64 <= UINT32_MAX && nfloats64 <= (std::numeric_limits<size_t>::max() / sizeof(float)))
Copy link
Copy Markdown
Contributor

@z3moon z3moon Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check looks valid. But could you add comments what this checks mean?

<< "LinearImage allocation size is too large";
const uint32_t nfloats = (uint32_t)nfloats64;
float* floats = new float[nfloats];
memset(floats, 0, sizeof(float) * nfloats);
pixels = std::shared_ptr<float>(floats, std::default_delete<float[]>());
Expand Down
7 changes: 7 additions & 0 deletions libs/imageio/src/ImageDecoder.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,13 @@ LinearImage PSDDecoder::decode() {
uint32_t width = ntohl(h.width);
uint32_t height = ntohl(h.height);

if (width == 0 || height == 0) {
throw std::runtime_error("invalid PSD dimensions: width and height must be non-zero");
}
if (width > 300000 || height > 300000) {
Copy link
Copy Markdown
Contributor

@z3moon z3moon Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these correct numbers for PSD? could you add comments regarding this?

Copy link
Copy Markdown
Contributor

@romainguy romainguy Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the correct numbers. For images larger than 30,000 pixels you need a different format called PSB (Photoshop Big). But yeah, it could use a short comment or use of a constant.

Copy link
Copy Markdown
Contributor

@z3moon z3moon Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like ImageDecoder.cpp doesn't support PSB file. The signature check and the Head struct is hard-coded for PSD. So this needs to be 30,000 with proper comments.

Copy link
Copy Markdown
Author

@YLChen-007 YLChen-007 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank your response, I have submitted a new commit. Is there any problem in this new commit?

Copy link
Copy Markdown
Contributor

@z3moon z3moon Apr 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you check my other comment?

throw std::runtime_error("PSD dimensions exceed maximum allowed size");
}

uint32_t length;

// color mode data section
Expand Down