Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Upcast image stride to 64-bit when multiplying values. #8572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 8, 2017
Merged

Upcast image stride to 64-bit when multiplying values. #8572

merged 1 commit into from
May 8, 2017

Conversation

QuLogic
Copy link
Member

@QuLogic QuLogic commented May 4, 2017

Dimensions are limited to 16 bits which when multiplied together should
fit in a 32-bit number. But the stride is (for RGBA) 4 times one
dimension and both index and stride are signed (which is 31 bits), so
it can overflow and become negative. This makes any access to a high
enough index go to somewhere before the start of the buffer.

Fixes #8558.

@QuLogic QuLogic added this to the 2.0.2 (next bug fix release) milestone May 4, 2017
@QuLogic QuLogic requested review from mdboom, efiring and tacaswell May 4, 2017 23:44
@QuLogic
Upcast image stride to 64-bit when multiplying values.
46592b2 
Dimensions are limited to 16 bits which when multiplied together should
fit in a 32-bit number. But the stride is (for RGBA) 4 times one
dimension *and* both index and stride are signed (which is 31 bits), so
it can overflow and become negative. This makes any access to a high
enough index go to somewhere before the start of the buffer.

Fixes matplotlib#8558.
@QuLogic QuLogic force-pushed the big-image-crash branch from 4be663b to 46592b2 Compare May 4, 2017 23:54
efiring
efiring approved these changes May 7, 2017
View reviewed changes
Copy link
Member

@efiring efiring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me.

@tacaswell tacaswell modified the milestones: 2.0.3 (next bug fix release), 2.0.2 (critical bug fixes from 2.0.1) May 7, 2017
@mdboom
Copy link
Member

mdboom commented May 8, 2017

Makes sense to me.

@mdboom
Copy link
Member

mdboom commented May 8, 2017

If there's a way to add a test, that would be ideal. However, allocating that much memory as part of the test suite would be -- um -- obnoxious to say the least.

@mdboom
Copy link
Member

mdboom commented May 8, 2017

Also, to be a "good citizen", we should probably send this patch to the agg24-svn project upstream on sourceforge.

@tacaswell tacaswell merged commit b546822 into matplotlib:v2.0.x May 8, 2017
@QuLogic
Copy link
Member Author

QuLogic commented May 8, 2017

Don't think there's a way to add a non-obnoxious test since it requires a figure that is greater than 31-bits in total size.

@QuLogic QuLogic deleted the big-image-crash branch May 8, 2017 20:10
@tacaswell tacaswell mentioned this pull request Sep 18, 2017
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efiring efiring efiring approved these changes

@tacaswell tacaswell tacaswell approved these changes

@mdboom mdboom Awaiting requested review from mdboom

Assignees
No one assigned
Labels
backend: agg
Projects
None yet
Milestone
v2.0.2 (critical bug fixes from 2.0.1)
Development

Successfully merging this pull request may close these issues.
5 participants
@QuLogic @mdboom @efiring @tacaswell @dstansby