Merge pull request #25328 from dkurt:fix_rng_fill_oob

Resolve out of bound write in RNG::fill

modules/core/src/rand.cpp

@@ -544,7 +544,7 @@ void RNG::fill( InputOutputArray _mat, int disttype,
 
     if( disttype == UNIFORM )
     {
-        _parambuf.allocate((sizeof(DivStruct)+sizeof(double)-1)/sizeof(double) + cn*2 + n1 + n2);
+        _parambuf.allocate(cn*(sizeof(DivStruct)+sizeof(double)-1)/sizeof(double) + cn*4);
         double* parambuf = _parambuf.data();
         double* p1 = _param1.ptr<double>();
         double* p2 = _param2.ptr<double>();
@@ -570,6 +570,7 @@ void RNG::fill( InputOutputArray _mat, int disttype,
         if( CV_IS_INT_TYPE(depth) )
         {
             Vec2l* ip = (Vec2l*)(parambuf + cn*2);
+            CV_DbgCheckLT((size_t)(cn*4 - 1), _parambuf.size(), "");
             for( j = 0, fast_int_mode = true; j < cn; j++ )
             {
                 double a = std::min(p1[j], p2[j]);
@@ -615,6 +616,7 @@ void RNG::fill( InputOutputArray _mat, int disttype,
             if( !fast_int_mode )
             {
                 DivStruct* ds = (DivStruct*)(ip + cn);
+                CV_DbgCheckLE((void*)(ds + cn), (void*)(parambuf + _parambuf.size()), "Last byte check");
                 for( j = 0; j < cn; j++ )
                 {
                     ds[j].delta = ip[j][1];
@@ -645,6 +647,7 @@ void RNG::fill( InputOutputArray _mat, int disttype,
             // so that a signed 32/64-bit integer X is transformed to
             // the range [param1.val[i], param2.val[i]) using
             // dparam[0][i]*X + dparam[1][i]
+            CV_DbgCheckLT((size_t)(cn*4 - 1), _parambuf.size(), "");
             if( depth != CV_64F )
             {
                 Vec2f* fp = (Vec2f*)(parambuf + cn*2);