ci: Fix UB in exif parse, revert PR #5113, move sanitizer test to 2026 (#5120)

lgritz · web-flow · commit 1dff182d2d5d · 2026-03-29T20:36:32.000-07:00
PR #5113 didn't fix all the problems after all. Revert it, because it's not needed after the real solution. The real solution is to mark tiff_datatype_to_typedesc() with OIIO_NO_SANITIZE_UNDEFINED to have the sanitizer skip it. What's happening is that corrupted files end up with a value in the data type field that is not a valid value of the TIFFDataType enum, and ubsan is flagging that. BUT... `tiff_datatype_to_typedesc()` itself is actually safe in that circumstance, because it's got a 'default` clause that handles the unknown enum values just fine. In contrast, I've been running around in circles trying to find something to do *within* that function to make it "safe" (by the sanitizer's reckoning), and trying to check for valid values prior to converting to a TIFFDataType is just too hard, partly because there are places where that conversion happens unchecked inside libtiff (C language, just does a cast), so it comes to us as a TIFFDataType already with an invalid value. It's easier to just mark the whole function as being ignored by ubsan, given that we can see by inspection that it has totally deterministic and desired behavior for the illegal values. Making this spurious ubsan error disappear allows us to upgrade the container version we are using for the "sanitizer" CI test variant, so we also push that all the way up to 2026. Signed-off-by: Larry Gritz <lg@larrygritz.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -347,12 +347,11 @@ jobs:
           - desc: Sanitizers
             nametag: sanitizer
             runner: ubuntu-latest
-            container: aswf/ci-oiio:2024.2
+            container: aswf/ci-oiio:2026.3
             cc_compiler: clang
             cxx_compiler: clang++
             build_type: Debug
-            opencolorio_ver: v2.4.2
-            python_ver: "3.11"
+            python_ver: "3.13"
             ctest_test_timeout: "1200"
             setenvs: export SANITIZE=address,undefined
                             OIIO_CMAKE_FLAGS="-DSANITIZE=address,undefined -DOIIO_HARDENING=3 -DUSE_PYTHON=0"
diff --git a/src/include/OpenImageIO/tiffutils.h b/src/include/OpenImageIO/tiffutils.h
@@ -159,7 +159,9 @@ OIIO_NAMESPACE_3_1_BEGIN
 /// obvious equivalent.
 OIIO_API TypeDesc tiff_datatype_to_typedesc (TIFFDataType tifftype, size_t tiffcount=1);
 
-OIIO_API TypeDesc tiff_datatype_to_typedesc (const TIFFDirEntry& dir);
+inline TypeDesc tiff_datatype_to_typedesc (const TIFFDirEntry& dir) {
+    return tiff_datatype_to_typedesc (TIFFDataType(dir.tdir_type), dir.tdir_count);
+}
 
 /// Return the data size (in bytes) of the TIFF type.
 OIIO_API size_t tiff_data_size (TIFFDataType tifftype);
diff --git a/src/libOpenImageIO/exif.cpp b/src/libOpenImageIO/exif.cpp
@@ -178,22 +178,12 @@ tiff_data_size(const TIFFDirEntry& dir)
 
 
 
-TypeDesc
-tiff_datatype_to_typedesc(const TIFFDirEntry& dir)
-{
-    // Check for corrupt/invalid value
-#if defined(TIFF_VERSION_BIG)
-    if (dir.tdir_type > TIFF_IFD8)
-#else
-    if (dir.tdir_type > TIFF_IFD)
-#endif
-        return TypeUnknown;
-    return tiff_datatype_to_typedesc(TIFFDataType(dir.tdir_type),
-                                     dir.tdir_count);
-}
-
-
-
+// N.B. We have to turn undefined behavior sanitizer off for this function
+// because ubsan will complain about tifftype being an invalid enum value in
+// cases where the value really is corrupted and invalid -- but the switch
+// statement here is nonetheless safe because it just returns TypeUnknown in
+// such cases.
+OIIO_NO_SANITIZE_UNDEFINED
 TypeDesc
 tiff_datatype_to_typedesc(TIFFDataType tifftype, size_t tiffcount)
 {
