#52 Buffer overflow (read access) in iluScale2DBilinear_()

[Anonymous]

Let's assume the image is 256x211, RGB and gets scaled
to 256x256. I haven't done the math, but I'm pretty
sure that this overflow happens with othersizes as well
(maybe all cases barring the ones where
oldheight==newheight).

What happens is this:

ILimage *iluScale2D_(ILimage *Image, ILimage *Scaled,
ILuint Width, ILuint Height)
{
// ....
ScaleX = (ILfloat)Width / Image->Width;
ScaleY = (ILfloat)Height / Image->Height;
// ...
}

// Suppose Image->Width=256, Image->Height=211
// Width=256, Height=256
// Image->Bpp = 3, ImgBps = 768

ILimage *iluScale2DBilinear_(ILimage *Image, ILimage
*Scaled, ILuint Width, ILuint Height)
{
ImgBps = Image->Bps / Image->Bpc;
SclBps = Scaled->Bps / Scaled->Bpc;

switch (Image->Bpc)
{
case 1:
Height--; // Only use regular Height once in the
following loop.
// Height=255
for (y = 0; y < Height; y++) {
// y is (up to) 254
NewY1 = (ILuint)(y / ScaleY) * ImgBps;
// NewY2 is (up to)
// 254 * ScaleY * ImgBps =
// 254 * Height / Image->Height * 768 =
// 254*255/256*768 = 160512
NewY2 = (ILuint)((y+1) / ScaleY) * ImgBps;
// NewY2 is (up to)
// (254+1) * ScaleY * ImgBps =
// 255 * Height / Image->Height * 768 =
// 255*255/256*768 = 161280
for (x = 0; x < Width; x++) {
NewX = Width / ScaleX;
//>>>>>>>>>>>>>>>>>> does NewX need to be calculated
inside the loop?
//>>>>>>>>>>>>>>>>>> Newx == Width / (Width /
Image->Width) == Image->Width
t1 = x / (ILdouble)Width;
t4 = t1 * Width;
//>>>>>>>>>>>>>>>>>> t4 is always equal to x (barring
calculation imprecision)
t2 = t4 - (ILuint)(t4);
//>>>>>>>>>>>>>>>>>> ... hence t2 is always 0.0
t3 = (1.0 - t2);
//>>>>>>>>>>>>>>>>>> ... and t3 is 1.0
t4 = t1 * NewX;
NewX1 = (ILuint)(t4) * Image->Bpp;
// NewX1 is (up to)
// (t1 * NewX) + Image->Bpp =
// (t1 * Image->Width) + 3 =
// (x / Width * 256) + 3 =
// (x / 256 * 256) + 3 =
// (255) * 3 =
// 765
NewX2 = (ILuint)(t4 + 1) * Image->Bpp;
// NewX2 is (up to)
// (t1 * NewX + 1) + Image->Bpp =
// (t1 * Image->Width + 1) + 3 =
// (x / Width * 256 + 1) + 3 =
// (x / 256 * 256 + 1) + 3 =
// (255 + 1) * 3 =
// 768

for (c = 0; c < Scaled->Bpp; c++) {
// c is (up to) 2
Table[0][c] = t3 * Image->Data[NewY1 + NewX1 + c] +
t2 * Image->Data[NewY1 + NewX2 + c];

Table[1][c] = t3 * Image->Data[NewY2 + NewX1 + c] +
t2 * Image->Data[NewY2 + NewX2 + c];
// NewY2 + NewX2 + c is (up to)
// 161280 + 768 + 2 = 162050
// Image->SizeOfData = 256 * 211 * 3 = 162048
///////////////////////////////////////^^^^^^/
// Buffer overflow by 3! //
//////////////////////////////////////////////
}

// Linearly interpolate between the table values.
t1 = y / (ILdouble)(Height + 1); // Height+1 is
the real height now.
t3 = (1.0 - t1);
Size = y * SclBps + x * Scaled->Bpp;
for (c = 0; c < Scaled->Bpp; c++) {
Scaled->Data[Size + c] =
(ILubyte)(t3 * Table[0][c] + t1 * Table[1][c]);
}
}
}

[Nobody/Anonymous]

Logged In: NO

I use 'ilu_scale2d.c' from version 1.6.5 with version 1.6.7. This
old version works good for me. Maybe someone should check
the changes since 1.6.5