New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add range check to NewDecoder #32
Conversation
Note that the example code does not include a range check, so many people using this library might not be either, causing potential DoS vulnerabilities due to panic. Adding the check to the library instead of requiring users to do it prevents any such vulnerabilities. |
Hi @alexrsagen, Thanks for the PR! There's definitely some sharp edges here that haven't been sanded down. I don't think this case warrants a new error. In all other cases, a buffer that doesn't contain an image returns |
Hey, thanks for the review @brian-armstrong-discord! I've made the requested change. I thought of the same initially, but got hung up on wording ("too small to hold image"). I mentioned this to @SpencerSharkey and IIRC he also thought this seemed weird for this case. Anyway that's just semantics, not really important for the end result. I agree the error message should be the same because of its nature. I think the same range check should also be added to |
I also noticed |
Hi @alexrsagen, Just to be clear, the error we'd want to use here is The To give more context, that error occurs when In the case of the opencv decoder, we're specifying a 1-dimensional array on top of the buffer. An array of size To reiterate, the only error that should actually be produced by the decoder creation is |
Thanks for the explanation of that error case. Indeed it does seem that is one of those "universe correctness" tests which is only useful for detecting cosmic rays corrupting your memory :) Though it certainly doesn't hurt to have the check in place, it might not be neccessary like you say. If you decide a panic would be better, i believe it should panic on its own (nil pointer dereference) in the error case, without needing a direct call to What are your thoughts on adding a zero-length check to |
As a reminder, please change https://github.com/discordapp/lilliput/pull/32/files#diff-7679cb56f5ca76ab584bbc8032a4892eR65 to Regarding the encoder - maybe. I'd like to handle that in another PR. There's a related bit that probably needs revisiting at https://github.com/discordapp/lilliput/blob/master/opencv.go#L346 (scary XXXs!) OpenCV will just build a new buffer if you give it one that's too small, which sort of disrupts various assumptions in this library (and how people will use it). So I'd like to think about it some more. |
Updated the error type! I would recommend creating a memory release function in void opencv_mat_release(const opencv_mat mat) {
auto cvMat = static_cast<const cv::Mat *>(mat);
cvMat->release();
} and calling it at the point of scary XXXs in the code. As You can verify the memory deallocation by checking the |
I'm not sure. Like I said, I'd like to think about it some more. The trickiness here regards user expectations. The user gave us a buffer to write into, and instead we allocated a new buffer and wrote into that one. It's not good that it happened at all, but throwing away the result doesn't necessarily feel right. I think the right option here might be to further fork opencv and disable this behavior, since it's nonsensical anyway. Anyway, thanks for the patch. |
The current code produces the following error on an empty buffer. The added range check prevents it from panicking, instead returning an error.