Fix oss-fuzz issue 44008: overflow in pixCountArbInRect() in pix3_fuz…

…zer.cc * Bug in pixel access in pixCountArbInRect(): using wrong depth * Now allow use on all pix with depth <= 8
DanBloomberg · Jan 24, 2022 · f694a02 · f694a02
1 parent 748723a
commit f694a02
Showing 1 changed file with 23 additions and 8 deletions.
diff --git a/src/pix3.c b/src/pix3.c
@@ -3322,7 +3322,7 @@ l_uint32   val0, val1;
 /*!
  * \brief   pixCountArbInRect()
  *
- * \param[in]    pixs     8 bpp, or colormapped
+ * \param[in]    pixs     1,2,4,8 bpp; can be colormapped
  * \param[in]    box      [optional] over which count is made;
  *                        use entire image if NULL
  * \param[in]    val      pixel value to count
@@ -3345,7 +3345,7 @@ pixCountArbInRect(PIX      *pixs,
                   l_int32   factor,
                   l_int32  *pcount)
 {
-l_int32    i, j, bx, by, bw, bh, w, h, wpl, pixval;
+l_int32    i, j, bx, by, bw, bh, w, h, d, wpl, pixval;
 l_uint32  *data, *line;
 
     PROCNAME("pixCountArbInRect");
@@ -3355,21 +3355,28 @@ l_uint32  *data, *line;
     *pcount = 0;
     if (!pixs)
         return ERROR_INT("pixs not defined", procName, 1);
-    if (pixGetDepth(pixs) != 8 && !pixGetColormap(pixs))
-        return ERROR_INT("pixs neither 8 bpp nor colormapped",
-                                 procName, 1);
+    d = pixGetDepth(pixs);
+    if (d != 1 && d != 2 && d != 4 && d != 8)
+        return ERROR_INT("pixs not 1, 2, 4 or 8 bpp", procName, 1);
     if (factor < 1)
         return ERROR_INT("sampling factor < 1", procName, 1);
 
     pixGetDimensions(pixs, &w, &h, NULL);
     data = pixGetData(pixs);
     wpl = pixGetWpl(pixs);
-
     if (!box) {
         for (i = 0; i < h; i += factor) {
             line = data + i * wpl;
             for (j = 0; j < w; j += factor) {
-                pixval = GET_DATA_BYTE(line, j);
+                if (d == 8) {
+                    pixval = GET_DATA_BYTE(line, j);
+                } else if (d == 1) {
+                    pixval = GET_DATA_BIT(line, j);
+                } else if (d == 2) {
+                    pixval = GET_DATA_DIBIT(line, j);
+                } else  /* d == 4 */  {
+                    pixval = GET_DATA_QBIT(line, j);
+                }
                 if (pixval == val) (*pcount)++;
             }
         }
@@ -3380,7 +3387,15 @@ l_uint32  *data, *line;
             line = data + (by + i) * wpl;
             for (j = 0; j < bw; j += factor) {
                 if (bx + j < 0 || bx + j >= w) continue;
-                pixval = GET_DATA_BYTE(line, bx + j);
+                if (d == 8) {
+                    pixval = GET_DATA_BYTE(line, bx + j);
+                } else if (d == 1) {
+                    pixval = GET_DATA_BIT(line, bx + j);
+                } else if (d == 2) {
+                    pixval = GET_DATA_DIBIT(line, bx + j);
+                } else  /* d == 4 */  {
+                    pixval = GET_DATA_QBIT(line, bx + j);
+                }
                 if (pixval == val) (*pcount)++;
             }
         }