Avoid possible overflow when multiplication result is cast up

lovell · lovell · commit 21ede63118a3 · 2025-03-07T22:18:03.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -25,6 +25,7 @@
 - heifsave: reject multiband images [lovell]
 - heifload: prevent possible int overflow for large images [kleisauke]
 - tiffload: add missing read loop [kleisauke]
+- avoid possible overflow when multiplication result is cast up [lovell]
 
 10/10/24 8.16.0
 
diff --git a/libvips/arithmetic/hist_find_indexed.c b/libvips/arithmetic/hist_find_indexed.c
@@ -117,8 +117,8 @@ histogram_new(VipsHistFindIndexed *indexed)
 		!(hist->reg = vips_region_new(indexed->index_ready)))
 		return NULL;
 
-	memset(hist->bins, 0, bands * hist->size * sizeof(double));
-	memset(hist->init, 0, hist->size * sizeof(int));
+	memset(hist->bins, 0, (size_t) bands * hist->size * sizeof(double));
+	memset(hist->init, 0, (size_t) hist->size * sizeof(int));
 
 	return hist;
 }
diff --git a/libvips/arithmetic/project.c b/libvips/arithmetic/project.c
@@ -109,8 +109,8 @@ histogram_new(VipsProject *project)
 		!hist->row_sums)
 		return NULL;
 
-	memset(hist->column_sums, 0, psize * in->Xsize);
-	memset(hist->row_sums, 0, psize * in->Ysize);
+	memset(hist->column_sums, 0, (size_t) psize * in->Xsize);
+	memset(hist->row_sums, 0, (size_t) psize * in->Ysize);
 
 	return hist;
 }
diff --git a/libvips/colour/LCh2UCS.c b/libvips/colour/LCh2UCS.c
@@ -165,7 +165,7 @@ vips_col_Ch2hcmc(float C, float h)
 	}
 
 	P = cos(VIPS_RAD(k7 * h + k8));
-	D = k4 + k5 * P * pow(VIPS_FABS(P), k6);
+	D = k4 + k5 * P * (float) pow(VIPS_FABS(P), k6);
 	g = C * C * C * C;
 	f = sqrt(g / (g + 1900.0));
 	hcmc = h + D * f;
diff --git a/libvips/conversion/bandfold.c b/libvips/conversion/bandfold.c
@@ -96,7 +96,7 @@ vips_bandfold_gen(VipsRegion *out_region,
 		/* We can't use vips_region_region() since we change pixel
 		 * coordinates.
 		 */
-		memcpy(q, p, psize * r->width);
+		memcpy(q, p, (size_t) psize * r->width);
 	}
 
 	return 0;
diff --git a/libvips/conversion/bandunfold.c b/libvips/conversion/bandunfold.c
@@ -99,7 +99,7 @@ vips_bandunfold_gen(VipsRegion *out_region,
 		/* We can't use vips_region_region() since we change pixel
 		 * coordinates.
 		 */
-		memcpy(q, p, r->width * psize);
+		memcpy(q, p, (size_t) r->width * psize);
 	}
 
 	return 0;
diff --git a/libvips/conversion/composite.cpp b/libvips/conversion/composite.cpp
@@ -899,7 +899,7 @@ vips_composite_base_blend3(VipsCompositeSequence *seq,
 			/* You can't sqrt a vector, so we must loop.
 			 */
 			for (int b = 0; b < 3; b++) {
-				double g;
+				float g;
 
 				if (B[b] <= 0.25)
 					g = ((16 * B[b] - 12) * B[b] + 4) * B[b];
diff --git a/libvips/conversion/embed.c b/libvips/conversion/embed.c
@@ -217,7 +217,7 @@ vips_embed_base_paint_edge(VipsEmbedBase *base,
 		 */
 		for (y = 0; y < todo.height; y++) {
 			q = VIPS_REGION_ADDR(out_region, todo.left, todo.top + y);
-			memcpy(q, p, bs * todo.width);
+			memcpy(q, p, (size_t) bs * todo.width);
 		}
 	}
 
diff --git a/libvips/foreign/jp2ksave.c b/libvips/foreign/jp2ksave.c
@@ -482,7 +482,7 @@ vips_foreign_save_jp2k_sizeof_tile(VipsForeignSaveJp2k *jp2k, VipsRect *tile)
 			(double) tile->height / comp->dy);
 		;
 
-		size += output_width * output_height * sizeof_element;
+		size += (size_t) output_width * output_height * sizeof_element;
 	}
 
 	return size;
diff --git a/libvips/foreign/nsgifload.c b/libvips/foreign/nsgifload.c
@@ -512,7 +512,7 @@ vips_foreign_load_nsgif_generate(VipsRegion *out_region,
 			gif->frame_number = page;
 		}
 
-		p = (VipsPel *) gif->bitmap + line * gif->info->width * sizeof(int);
+		p = (VipsPel *) gif->bitmap + (size_t) line * gif->info->width * sizeof(int);
 		q = VIPS_REGION_ADDR(out_region, 0, r->top + y);
 		if (gif->has_transparency)
 			memcpy(q, p, VIPS_REGION_SIZEOF_LINE(out_region));
diff --git a/libvips/foreign/tiff2vips.c b/libvips/foreign/tiff2vips.c
@@ -1659,7 +1659,7 @@ static void
 rtiff_memcpy_f16_line(Rtiff *rtiff, VipsPel *q, VipsPel *p, int n, void *client)
 {
 	VipsImage *im = (VipsImage *) client;
-	size_t len = n * im->Bands;
+	size_t len = (size_t) n * im->Bands;
 
 	if (im->BandFmt == VIPS_FORMAT_COMPLEX ||
 		im->BandFmt == VIPS_FORMAT_DPCOMPLEX)
@@ -2107,7 +2107,7 @@ rtiff_decompress_jpeg_run(Rtiff *rtiff, j_decompress_ptr cinfo,
 	}
 
 	jpeg_calc_output_dimensions(cinfo);
-	bytes_per_scanline = cinfo->output_width * bytes_per_pixel;
+	bytes_per_scanline = (size_t) cinfo->output_width * bytes_per_pixel;
 
 	/* Double-check tile dimensions.
 	 */
diff --git a/libvips/foreign/vips2tiff.c b/libvips/foreign/vips2tiff.c
@@ -2302,7 +2302,7 @@ wtiff_copy_tiles(Wtiff *wtiff, TIFF *out, TIFF *in)
 	 * simpler than searching every page for the largest tile with
 	 * TIFFTAG_TILEBYTECOUNTS.
 	 */
-	tile_size = 2 * wtiff->tls * wtiff->tileh;
+	tile_size = (tsize_t) 2 * wtiff->tls * wtiff->tileh;
 
 	buf = vips_malloc(NULL, tile_size);
 
diff --git a/libvips/foreign/webp2vips.c b/libvips/foreign/webp2vips.c
@@ -305,7 +305,7 @@ vips_image_paint_image(VipsImage *frame,
 			}
 			else
 				memcpy((char *) q, (char *) p,
-					ovl.width * ps);
+					(size_t) ovl.width * ps);
 
 			p += VIPS_IMAGE_SIZEOF_LINE(sub);
 			q += VIPS_IMAGE_SIZEOF_LINE(frame);
diff --git a/libvips/foreign/webpsave.c b/libvips/foreign/webpsave.c
@@ -355,7 +355,7 @@ vips_foreign_save_webp_sink_disc(VipsRegion *region, VipsRect *area, void *a)
 		memcpy(webp->frame_bytes +
 				area->width * webp->write_y * save->ready->Bands,
 			VIPS_REGION_ADDR(region, 0, area->top + i),
-			area->width * save->ready->Bands);
+			(size_t) area->width * save->ready->Bands);
 
 		webp->write_y += 1;
 
diff --git a/libvips/iofuncs/image.c b/libvips/iofuncs/image.c
@@ -3241,7 +3241,7 @@ vips_image_write_line(VipsImage *image, int ypos, VipsPel *linebuffer)
 
 	/* Trigger evaluation callbacks for this image.
 	 */
-	vips_image_eval(image, ypos * image->Xsize);
+	vips_image_eval(image, (guint64) ypos * image->Xsize);
 	if (vips_image_iskilled(image))
 		return -1;
 
diff --git a/libvips/iofuncs/sink.c b/libvips/iofuncs/sink.c
@@ -238,7 +238,7 @@ sink_area_allocate_fn(VipsThreadState *state, void *a, gboolean *stop)
 
 	/* Add the number of pixels we've just allocated to progress.
 	 */
-	sink_base->processed += state->pos.width * state->pos.height;
+	sink_base->processed += (guint64) state->pos.width * state->pos.height;
 
 	return 0;
 }
diff --git a/libvips/iofuncs/sinkdisc.c b/libvips/iofuncs/sinkdisc.c
@@ -410,7 +410,7 @@ wbuffer_allocate_fn(VipsThreadState *state, void *a, gboolean *stop)
 
 	/* Add the number of pixels we've just allocated to progress.
 	 */
-	sink_base->processed += state->pos.width * state->pos.height;
+	sink_base->processed += (guint64) state->pos.width * state->pos.height;
 
 	return 0;
 }
diff --git a/libvips/iofuncs/sinkmemory.c b/libvips/iofuncs/sinkmemory.c
@@ -244,7 +244,7 @@ sink_memory_area_allocate_fn(VipsThreadState *state, void *a, gboolean *stop)
 
 	/* Add the number of pixels we've just allocated to progress.
 	 */
-	sink_base->processed += state->pos.width * state->pos.height;
+	sink_base->processed += (guint64) state->pos.width * state->pos.height;
 
 	return 0;
 }
diff --git a/libvips/mosaicing/matrixinvert.c b/libvips/mosaicing/matrixinvert.c
@@ -129,7 +129,7 @@ lu_decomp(VipsImage *mat)
 
 	/* copy all coefficients and then perform decomposition in-place */
 	memcpy(VIPS_MATRIX(lu, 0, 0), VIPS_MATRIX(mat, 0, 0),
-		mat->Xsize * mat->Xsize * sizeof(double));
+		(size_t) mat->Xsize * mat->Xsize * sizeof(double));
 
 	for (i = 0; i < mat->Xsize; ++i) {
 		row_scale[i] = 0.0;

Original file line number	Diff line number	Diff line change
`@@ -117,8 +117,8 @@ histogram_new(VipsHistFindIndexed *indexed)`
`117`	`117`	`!(hist->reg = vips_region_new(indexed->index_ready)))`
`118`	`118`	`return NULL;`
`119`	`119`
`120`		`- memset(hist->bins, 0, bands * hist->size * sizeof(double));`
`121`		`- memset(hist->init, 0, hist->size * sizeof(int));`
	`120`	`+ memset(hist->bins, 0, (size_t) bands * hist->size * sizeof(double));`
	`121`	`+ memset(hist->init, 0, (size_t) hist->size * sizeof(int));`
`122`	`122`
`123`	`123`	`return hist;`
`124`	`124`	`}`
Original file line number	Diff line number	Diff line change
`@@ -109,8 +109,8 @@ histogram_new(VipsProject *project)`
`109`	`109`	`!hist->row_sums)`
`110`	`110`	`return NULL;`
`111`	`111`
`112`		`- memset(hist->column_sums, 0, psize * in->Xsize);`
`113`		`- memset(hist->row_sums, 0, psize * in->Ysize);`
	`112`	`+ memset(hist->column_sums, 0, (size_t) psize * in->Xsize);`
	`113`	`+ memset(hist->row_sums, 0, (size_t) psize * in->Ysize);`
`114`	`114`
`115`	`115`	`return hist;`
`116`	`116`	`}`
Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ vips_col_Ch2hcmc(float C, float h)`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`P = cos(VIPS_RAD(k7 * h + k8));`
`168`		`- D = k4 + k5 * P * pow(VIPS_FABS(P), k6);`
	`168`	`+ D = k4 + k5 * P * (float) pow(VIPS_FABS(P), k6);`
`169`	`169`	`g = C * C * C * C;`
`170`	`170`	`f = sqrt(g / (g + 1900.0));`
`171`	`171`	`hcmc = h + D * f;`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ vips_bandfold_gen(VipsRegion *out_region,`
`96`	`96`	`/* We can't use vips_region_region() since we change pixel`
`97`	`97`	`* coordinates.`
`98`	`98`	`*/`
`99`		`- memcpy(q, p, psize * r->width);`
	`99`	`+ memcpy(q, p, (size_t) psize * r->width);`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`return 0;`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ vips_bandunfold_gen(VipsRegion *out_region,`
`99`	`99`	`/* We can't use vips_region_region() since we change pixel`
`100`	`100`	`* coordinates.`
`101`	`101`	`*/`
`102`		`- memcpy(q, p, r->width * psize);`
	`102`	`+ memcpy(q, p, (size_t) r->width * psize);`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`return 0;`
Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ vips_embed_base_paint_edge(VipsEmbedBase *base,`
`217`	`217`	`*/`
`218`	`218`	`for (y = 0; y < todo.height; y++) {`
`219`	`219`	`q = VIPS_REGION_ADDR(out_region, todo.left, todo.top + y);`
`220`		`- memcpy(q, p, bs * todo.width);`
	`220`	`+ memcpy(q, p, (size_t) bs * todo.width);`
`221`	`221`	`}`
`222`	`222`	`}`
`223`	`223`
Original file line number	Diff line number	Diff line change
`@@ -482,7 +482,7 @@ vips_foreign_save_jp2k_sizeof_tile(VipsForeignSaveJp2k jp2k, VipsRect tile)`
`482`	`482`	`(double) tile->height / comp->dy);`
`483`	`483`	`;`
`484`	`484`
`485`		`- size += output_width * output_height * sizeof_element;`
	`485`	`+ size += (size_t) output_width * output_height * sizeof_element;`
`486`	`486`	`}`
`487`	`487`
`488`	`488`	`return size;`
Original file line number	Diff line number	Diff line change
`@@ -512,7 +512,7 @@ vips_foreign_load_nsgif_generate(VipsRegion *out_region,`
`512`	`512`	`gif->frame_number = page;`
`513`	`513`	`}`
`514`	`514`
`515`		`- p = (VipsPel ) gif->bitmap + line gif->info->width * sizeof(int);`
	`515`	`+ p = (VipsPel ) gif->bitmap + (size_t) line gif->info->width * sizeof(int);`
`516`	`516`	`q = VIPS_REGION_ADDR(out_region, 0, r->top + y);`
`517`	`517`	`if (gif->has_transparency)`
`518`	`518`	`memcpy(q, p, VIPS_REGION_SIZEOF_LINE(out_region));`