[Bf-blender-cvs] [0ac83d05d7c] blender-v2.83-release: Fix T94661: Out-of-bounds memory access due to malformed DDS image file
Sergey Sharybin
noreply at git.blender.org
Tue Jan 18 10:54:17 CET 2022
Commit: 0ac83d05d7cccec436bb939e0aa768f6a3d77d72
Author: Sergey Sharybin
Date: Mon Jan 10 14:26:57 2022 +0100
Branches: blender-v2.83-release
https://developer.blender.org/rB0ac83d05d7cccec436bb939e0aa768f6a3d77d72
Fix T94661: Out-of-bounds memory access due to malformed DDS image file
Harden bounds check in the stream reader avoiding integer overflow.
===================================================================
M source/blender/imbuf/intern/dds/Stream.cpp
===================================================================
diff --git a/source/blender/imbuf/intern/dds/Stream.cpp b/source/blender/imbuf/intern/dds/Stream.cpp
index 271717f165c..a0a5a75ef8d 100644
--- a/source/blender/imbuf/intern/dds/Stream.cpp
+++ b/source/blender/imbuf/intern/dds/Stream.cpp
@@ -26,6 +26,21 @@
static const char *msg_error_seek = "DDS: trying to seek beyond end of stream (corrupt file?)";
static const char *msg_error_read = "DDS: trying to read beyond end of stream (corrupt file?)";
+inline bool is_read_within_bounds(const Stream &mem, unsigned int cnt)
+{
+ if (mem.pos >= mem.size) {
+ /* No more data remained in the memory buffer. */
+ return false;
+ }
+
+ if (cnt > mem.size - mem.pos) {
+ /* Reading past the memory bounds. */
+ return false;
+ }
+
+ return true;
+}
+
unsigned int Stream::seek(unsigned int p)
{
if (p > size) {
@@ -40,7 +55,7 @@ unsigned int Stream::seek(unsigned int p)
unsigned int mem_read(Stream &mem, unsigned long long &i)
{
- if (mem.pos + 8 > mem.size) {
+ if (!is_read_within_bounds(mem, 8)) {
mem.set_failed(msg_error_seek);
return (0);
}
@@ -51,7 +66,7 @@ unsigned int mem_read(Stream &mem, unsigned long long &i)
unsigned int mem_read(Stream &mem, unsigned int &i)
{
- if (mem.pos + 4 > mem.size) {
+ if (!is_read_within_bounds(mem, 4)) {
mem.set_failed(msg_error_read);
return (0);
}
@@ -62,7 +77,7 @@ unsigned int mem_read(Stream &mem, unsigned int &i)
unsigned int mem_read(Stream &mem, unsigned short &i)
{
- if (mem.pos + 2 > mem.size) {
+ if (!is_read_within_bounds(mem, 2)) {
mem.set_failed(msg_error_read);
return (0);
}
@@ -73,7 +88,7 @@ unsigned int mem_read(Stream &mem, unsigned short &i)
unsigned int mem_read(Stream &mem, unsigned char &i)
{
- if (mem.pos + 1 > mem.size) {
+ if (!is_read_within_bounds(mem, 1)) {
mem.set_failed(msg_error_read);
return (0);
}
@@ -84,7 +99,7 @@ unsigned int mem_read(Stream &mem, unsigned char &i)
unsigned int mem_read(Stream &mem, unsigned char *i, unsigned int cnt)
{
- if (mem.pos + cnt > mem.size) {
+ if (!is_read_within_bounds(mem, cnt)) {
mem.set_failed(msg_error_read);
return (0);
}
More information about the Bf-blender-cvs
mailing list