> The whole file is effectively a write-what-where primitive2. In addition to that, the Count Info Table is not bounds checked either...
File formats like that, with many offsets in the file, are troublesome. There used to be more formats like that. Microsoft Word .doc is the classic example.
OpenJPEG 2000 has a similar problem. I just hit that yesterday.[1] Valgrind is finding references to un-initialized data which affect control flow, and running the JPEG decoder on valid but truncated files (which is allowed) is causing bad memory reference crashes and errors.
New formats like this are rare. People have learned. A modern exception is Unreal Engine 5's Nanite has much offset data, and there may be an attack surface there for hostile game content. Nanite is a way to store a graphics mesh with both multiple levels of detail and common submeshes. It's a hierarchy of directed acyclic graphs, flattened into a linear file with offsets. And, sure enough, there are many crash reports. At least Unreal provides a validator for the format.
(If only C/C++ had slices in the language. Most of the things for which pointer arithmetic is used can be done with slices. Slices really are pointer arithmetic, with sanity.)
File formats like that, with many offsets in the file, are troublesome. There used to be more formats like that. Microsoft Word .doc is the classic example.
OpenJPEG 2000 has a similar problem. I just hit that yesterday.[1] Valgrind is finding references to un-initialized data which affect control flow, and running the JPEG decoder on valid but truncated files (which is allowed) is causing bad memory reference crashes and errors.
New formats like this are rare. People have learned. A modern exception is Unreal Engine 5's Nanite has much offset data, and there may be an attack surface there for hostile game content. Nanite is a way to store a graphics mesh with both multiple levels of detail and common submeshes. It's a hierarchy of directed acyclic graphs, flattened into a linear file with offsets. And, sure enough, there are many crash reports. At least Unreal provides a validator for the format.
(If only C/C++ had slices in the language. Most of the things for which pointer arithmetic is used can be done with slices. Slices really are pointer arithmetic, with sanity.)
[1] https://github.com/uclouvain/openjpeg/issues/1459