Skip to content

Fixes for heap overflow#1077

Merged
rapids-bot[bot] merged 7 commits into
mainfrom
cd/code-audit-address
May 4, 2026
Merged

Fixes for heap overflow#1077
rapids-bot[bot] merged 7 commits into
mainfrom
cd/code-audit-address

Conversation

@cdinea
Copy link
Copy Markdown
Contributor

@cdinea cdinea commented Apr 27, 2026

No description provided.

@cdinea cdinea requested review from a team as code owners April 27, 2026 04:37
@cdinea cdinea requested a review from bdice April 27, 2026 04:37
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented Apr 27, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

grlee77
grlee77 reviewed Apr 29, 2026
View reviewed changes
Comment thread cpp/include/cucim/util/checked_math.h Outdated
grlee77
grlee77 reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@grlee77 grlee77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I commented on an issue with hard-coded size limits that may be too restrictive in practice.

I also had a local agent review and it pointed out one remaining related issue:

High: J2K validation still does not validate component dimensions used by the SYCC converters.
cpp/plugins/cucim.kit.cuslide/src/cuslide/jpeg2k/libopenjpeg.cpp:231 validates output bytes from component 0 only. But cpp/plugins/
cucim.kit.cuslide/src/cuslide/jpeg2k/color_conversion.cpp:36 and cpp/plugins/cucim.kit.cuslide/src/cuslide/jpeg2k/color_conversion.cpp:122
read Cb/Cr based on component 0 geometry and subsampling assumptions. A malformed codestream with non-null but undersized chroma components
can still drive out-of-bounds reads. Add per-component dimension checks for RGB, 4:4:4, 4:2:2, and 4:2:0 before conversion.

Comment thread cpp/plugins/cucim.kit.cuslide/src/cuslide/tiff/ifd.cpp Outdated
Comment thread cpp/include/cucim/util/checked_math.h Outdated
@cdinea cdinea force-pushed the cd/code-audit-address branch from 6de1dda to 0892f3c Compare April 30, 2026 15:17
@cdinea cdinea self-assigned this Apr 30, 2026
@cdinea cdinea added the improvement Improves an existing functionality label Apr 30, 2026
@cdinea cdinea added this to the v26.06.00 milestone Apr 30, 2026
@cdinea cdinea added this to cucim Apr 30, 2026
@cdinea
Copy link
Copy Markdown
Contributor Author

cdinea commented Apr 30, 2026

I commented on an issue with hard-coded size limits that may be too restrictive in practice.

I also had a local agent review and it pointed out one remaining related issue:

High: J2K validation still does not validate component dimensions used by the SYCC converters.
cpp/plugins/cucim.kit.cuslide/src/cuslide/jpeg2k/libopenjpeg.cpp:231 validates output bytes from component 0 only. But cpp/plugins/
cucim.kit.cuslide/src/cuslide/jpeg2k/color_conversion.cpp:36 and cpp/plugins/cucim.kit.cuslide/src/cuslide/jpeg2k/color_conversion.cpp:122
read Cb/Cr based on component 0 geometry and subsampling assumptions. A malformed codestream with non-null but undersized chroma components
can still drive out-of-bounds reads. Add per-component dimension checks for RGB, 4:4:4, 4:2:2, and 4:2:0 before conversion.

thank you for the feedback @grlee77 - addressed the agent review in the latest commit . Added per-component dimension validation in libopenjpeg.cpp that computes the minimum expected chroma size as ceil(luma_dim / subsampling_factor) using each component's dx/dy values, and rejects the image if any chroma plane is undersized

@cdinea cdinea added the non-breaking Introduces a non-breaking change label Apr 30, 2026
@cdinea
Copy link
Copy Markdown
Contributor Author

cdinea commented Apr 30, 2026

/ok to test ccd27e8

@cdinea
Copy link
Copy Markdown
Contributor Author

cdinea commented Apr 30, 2026

/ok to test fd0aea1

@cdinea
Copy link
Copy Markdown
Contributor Author

cdinea commented Apr 30, 2026

/ok to test d4a8128

cdinea added 7 commits May 1, 2026 12:41
@cdinea
Add overflow-checked buffer size calculations for TIFF/JPEG2000 parsing
5805692 
- Add checked_math.h utility with overflow-checked multiplication for buffer sizes
- Fix tile_raster_size_nbytes() overflow in cuslide and cuslide2
- Fix IFD::read() raster size overflow and RGBA fallback path
- Fix libjpeg_turbo.cpp tjAlloc buffer size overflow
- Add dest_nbytes validation to JPEG2000 color conversion functions
- Add bounds check on tile index access in read_region_tiles/read_region_tiles_boundary
- Fix raw.cpp: validate source size before memcpy
- Fix deflate.cpp: check libdeflate_zlib_decompress return value
- Fix tiff.cpp: overflow-checked raster_size in read_associated_image
@cdinea
Add J2K post-decode dimension and NULL validation
8e68ecf 
- Validate decoded J2K dimensions against dest buffer immediately after opj_decode
- Add NULL check on all component data pointers before color conversion
- Defense-in-depth: catches malformed codestreams before entering color conversion
@cdinea
Raise default size limits and add env var overrides (CUCIM_MAX_TILE_B…
253c189 
…YTES, CUCIM_MAX_RASTER_BYTES)
@cdinea
Use overflow-only check for user-supplied region size in IFD::read
35d5bb1
@cdinea
Add per-component dimension validation
d6ab6fc
@cdinea
Fix LZW tmsize_t truncation, add file-level offset validation, and va…
8cdf41b 
…lidate pread return values
@cdinea
Update SPDX copyright years to 2026
5441fdc
@cdinea cdinea force-pushed the cd/code-audit-address branch from d4a8128 to 5441fdc Compare May 1, 2026 19:44
@cdinea cdinea changed the title [DRAFT] Code audit remediation address [DRAFT] Fixes for heap overflow May 1, 2026
@jakirkham
Copy link
Copy Markdown
Member

jakirkham commented May 1, 2026

/ok to test 5441fdc

grlee77
grlee77 approved these changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@grlee77 grlee77 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @cdinea, looks good to me (once CI passes)

gigony
gigony approved these changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gigony gigony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @cdinea for handling the issues! It looks good to me! Please remove the 'draft' tag from the PR title now.

@cdinea
Copy link
Copy Markdown
Contributor Author

cdinea commented May 1, 2026

thank you for the (re)review and approval @grlee77 @gigony

jakirkham
jakirkham approved these changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jakirkham jakirkham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Cristiana for working on this! Also thanks Gigon and Greg for reviewing 🙏

@jakirkham jakirkham changed the title [DRAFT] Fixes for heap overflow Fixes for heap overflow May 2, 2026
@grlee77
Copy link
Copy Markdown
Contributor

grlee77 commented May 3, 2026

/ok to test 5441fdc

@jakirkham
Copy link
Copy Markdown
Member

jakirkham commented May 4, 2026

/merge

@rapids-bot rapids-bot Bot merged commit 378ec31 into main May 4, 2026
635 of 708 checks passed
@github-project-automation github-project-automation Bot moved this to Done in cucim May 4, 2026
@jakirkham jakirkham deleted the cd/code-audit-address branch May 4, 2026 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gigony gigony gigony approved these changes

@jakirkham jakirkham jakirkham approved these changes

@grlee77 grlee77 grlee77 approved these changes

@bdice bdice Awaiting requested review from bdice bdice was automatically assigned from rapidsai/packaging-codeowners

Assignees

@cdinea cdinea

Labels

improvement Improves an existing functionality non-breaking Introduces a non-breaking change

Projects

cucim
Status: Done

Milestone

v26.06.00

Development

Successfully merging this pull request may close these issues.

4 participants

@cdinea @jakirkham @grlee77 @gigony