fix(softimage): validate channel packet metadata

ssh4net · ssh4net · commit 427438250410 · 2026-05-05T15:20:59.000+09:00
Signed-off-by: Vlad (Kuzmin) Erium &lt;libalias@gmail.com&gt;
diff --git a/src/softimage.imageio/softimageinput.cpp b/src/softimage.imageio/softimageinput.cpp
@@ -114,6 +114,7 @@ SoftimageInput::open(const std::string& name, ImageSpec& spec)
 
     // Get the ChannelPackets
     ChannelPacket curPacket;
+    int bits_per_channel = 0;
     std::vector<std::string> encodings;
     do {
         // Read the next packet into curPacket and store it off
@@ -129,13 +130,37 @@ SoftimageInput::open(const std::string& name, ImageSpec& spec)
             close();
             return false;
         }
+
+        if (bits_per_channel == 0) {
+            bits_per_channel = curPacket.size;
+        } else if (curPacket.size != bits_per_channel) {
+            errorfmt("Inconsistent bits per channel {}", curPacket.size);
+            close();
+            return false;
+        }
+
+        if ((curPacket.type & 0x3) > MIXED_RUN_LENGTH) {
+            errorfmt("Unsupported channel encoding {}",
+                     static_cast<int>(curPacket.type));
+            close();
+            return false;
+        }
+
+        if (curPacket.channelCode
+            & ~(RED_CHANNEL | GREEN_CHANNEL | BLUE_CHANNEL | ALPHA_CHANNEL)) {
+            errorfmt("Unsupported channel code 0x{:x}",
+                     static_cast<int>(curPacket.channelCode));
+            close();
+            return false;
+        }
+
         if (curPacket.channelCode == 0) {
-            errorfmt("Channel packet with no channels");
+            errorfmt("Channel packet has no channels");
             close();
             return false;
         }
-        m_channel_packets.push_back(curPacket);
 
+        m_channel_packets.push_back(curPacket);
         encodings.push_back(encoding_name(m_channel_packets.back().type));
 
         if (m_channel_packets.size() > 4) {
diff --git a/testsuite/softimage/ref/out.txt b/testsuite/softimage/ref/out.txt
@@ -44,3 +44,6 @@ src/broken01.pic :   16 x    4, 1 channel, uint8 softimage
     Stats FiniteCount: 64 
     Constant: No
     Monochrome: Yes
+inconsistent-bpc-uncompressed-rejected
+inconsistent-bpc-pure-rle-rejected
+inconsistent-bpc-mixed-rle-rejected
diff --git a/testsuite/softimage/run.py b/testsuite/softimage/run.py
@@ -13,3 +13,15 @@
 # Regression testing of error handling and corrupt files
 command += info_command ("--stats src/broken01.pic",
                          info_program="iinfo", failureok=True)
+
+command += run_app (pythonbin + " src/make-malformed-channel-pics.py",
+                    silent=True)
+malformed_channel_files = [
+    "inconsistent-bpc-uncompressed.pic",
+    "inconsistent-bpc-pure-rle.pic",
+    "inconsistent-bpc-mixed-rle.pic",
+]
+for f in malformed_channel_files:
+    command += run_app ("(" + oiio_app("iconvert") + f
+                        + " out.null > /dev/null 2>&1 "
+                        + "|| echo " + f.replace(".pic", "-rejected") + ")")
diff --git a/testsuite/softimage/src/make-malformed-channel-pics.py b/testsuite/softimage/src/make-malformed-channel-pics.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+# Copyright Contributors to the OpenImageIO project.
+# SPDX-License-Identifier: Apache-2.0
+# https://github.com/AcademySoftwareFoundation/OpenImageIO
+
+import struct
+
+
+MAGIC = 0x5380F634
+WIDTH = 2
+HEIGHT = 1
+RED_CHANNEL = 0x80
+GREEN_CHANNEL = 0x40
+
+UNCOMPRESSED = 0
+PURE_RUN_LENGTH = 1
+MIXED_RUN_LENGTH = 2
+
+
+def header():
+    comment = b"Malformed channel packet regression"
+    return struct.pack(">If80s4sHHfHH", MAGIC, 1.0, comment, b"PICT",
+                       WIDTH, HEIGHT, 1.0, 0, 0)
+
+
+def channel_packet(chained, size, encoding, channel):
+    return bytes((chained, size, encoding, channel))
+
+
+def write_pic(filename, encoding, red_payload, green_payload):
+    with open(filename, "wb") as out:
+        out.write(header())
+        out.write(channel_packet(1, 16, encoding, RED_CHANNEL))
+        out.write(channel_packet(0, 8, encoding, GREEN_CHANNEL))
+        out.write(red_payload)
+        out.write(green_payload)
+
+
+write_pic("inconsistent-bpc-uncompressed.pic", UNCOMPRESSED,
+          b"\x00\x10\x00\x20", b"\x30\x40")
+write_pic("inconsistent-bpc-pure-rle.pic", PURE_RUN_LENGTH,
+          b"\x02\x00\x10", b"\x02\x30")
+write_pic("inconsistent-bpc-mixed-rle.pic", MIXED_RUN_LENGTH,
+          b"\x01\x00\x10\x00\x20", b"\x01\x30\x40")
