Describe the bug
When trying to open a RAW video file that has no resolution information in the filename (e.g. 1.raw), YUView crashes instantly. The crash happens due to either:
QByteArray::resize assertion failure / abort when the calculated frame byte size (nrBytes) overflows to a negative integer.
- An uncaught
std::bad_alloc exception when trying to allocate a massive amount of memory for uninitialized or invalid resolution parameters.
This issue is particularly reproducible on Windows, but the underlying safety loopholes exist across all platforms.
Steps to reproduce
- Start YUView.
- Attempt to open a RAW file named
1.raw (which does not contain resolution indicators like _1920x1080_).
- The application aborts or crashes immediately.
Analysis of the root cause
- No bounds check on dimensions:
Size::isValid() only checks width > 0 && height > 0 but has no upper boundary check. Thus, huge or corrupted sizes parsed or guessed from files are accepted.
- Integer Overflow: In
PixelFormatRGB::getBytesPerFrame, multiplying large dimensions can overflow a 32-bit signed int to a negative value.
- No negative check in
FileSource: In FileSource::readBytes, there is no check for nrBytes <= 0. Passing a negative size to QByteArray::resize triggers an abort in Qt or casts it to a huge size_t allocation.
- Uncaught Exceptions: Functions like
playlistItemRawFile::loadRawData and videoHandler::loadFrame convert/read data without catching std::bad_alloc, causing unhandled exceptions to crash the application.
Describe the bug
When trying to open a RAW video file that has no resolution information in the filename (e.g.
1.raw), YUView crashes instantly. The crash happens due to either:QByteArray::resizeassertion failure / abort when the calculated frame byte size (nrBytes) overflows to a negative integer.std::bad_allocexception when trying to allocate a massive amount of memory for uninitialized or invalid resolution parameters.This issue is particularly reproducible on Windows, but the underlying safety loopholes exist across all platforms.
Steps to reproduce
1.raw(which does not contain resolution indicators like_1920x1080_).Analysis of the root cause
Size::isValid()only checkswidth > 0 && height > 0but has no upper boundary check. Thus, huge or corrupted sizes parsed or guessed from files are accepted.PixelFormatRGB::getBytesPerFrame, multiplying large dimensions can overflow a 32-bit signedintto a negative value.FileSource: InFileSource::readBytes, there is no check fornrBytes <= 0. Passing a negative size toQByteArray::resizetriggers an abort in Qt or casts it to a hugesize_tallocation.playlistItemRawFile::loadRawDataandvideoHandler::loadFrameconvert/read data without catchingstd::bad_alloc, causing unhandled exceptions to crash the application.