From 0443beb7860e6fff51c30802a1c7524929921495 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Thu, 18 Jun 2026 17:09:27 -0700 Subject: [PATCH] fix(security): integer overflow in chirp size calculation In Chirp.cpp, the code checks if d_size > d_maxsize before converting to int, but uses std::floor(d_size) which returns a double. The check d_size > d_maxsize where d_maxsize = numeric_limits::max() is not sufficient to prevent all overflow cases due to floating-point precision issues. A very large double value near INT_MAX could pass the check but still overflow when converted to int. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- cxx/isce3/focus/Chirp.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cxx/isce3/focus/Chirp.cpp b/cxx/isce3/focus/Chirp.cpp index 30bd50d0b..27ac89684 100644 --- a/cxx/isce3/focus/Chirp.cpp +++ b/cxx/isce3/focus/Chirp.cpp @@ -28,8 +28,7 @@ formLinearChirp(double chirprate, // check for possible overflow before double -> int conversion double d_size = samplerate * duration + 1; - double d_maxsize = std::numeric_limits::max(); - if (d_size > d_maxsize) { + if (d_size > std::numeric_limits::max() || d_size < std::numeric_limits::min()) { throw isce3::except::OverflowError(ISCE_SRCINFO(), "chirp size exceeds max int value"); }