GHSA-qg8r-f7x3-25f7: imageproc: Out-of-bounds read via NaN coordinates in bilinear/bicubic sampling

A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected projection matrix.

Carefully controlling the coordinates of an image with no data and one non-zero dimension provides an arbitrary read primitive in the first 32-bits of address space with a Bilinear sampling method.

Using bicubic sampling can result in a read of a few bytes beyond an allocation.

Other out-of-bounds reads may be possible.